WASHINGTON, Oct. 1, 2010 — Information technology, and the world’s reliance on it, has redefined the front lines of national security, Deputy Defense Secretary William J. Lynn III said at the Council on Foreign Relations in New York City yesterday.
“Any major future conflict will almost certainly include elements of cyberwarfare,” he said. “And the threat posed by cyberwarfare extends far beyond military operations – it extends to the very heart of our economy.”
The department was always aware of the threats posed by hackers, nation states or terror groups in the cyberworld, but DOD experienced a wake-up call in 2008 when an intrusion into military networks extended to the classified realm.
“Up to that point, we did not think our classified networks could be penetrated,” Lynn said.
The compromise, he said, occurred when someone in the Middle East used a thumb drive to transfer data from the unclassified network to the classified network. The department launched Operation Buckshot Yankee to repair the breach and spent a lot of time, energy and money to remedy the situation. The attack led to a new approach to cyber security in the Pentagon, Lynn said.
Lynn expanded on a recent article he wrote for the council’s Foreign Affairs magazine. He detailed the attributes of the threats in cyberspace. First, he said, cyber is an asymmetric threat. It costs very little to develop a cyberthreat, while defending against it costs quite a lot. He gave an example.
“Some of the most sophisticated defense softwares that are commercially available now have between 5 million and 10 million lines of code,” he said. “They are massive, work intensive, difficult products to develop.”
However, “the average malware has stayed constant over the last decade at 170 lines of code,” Lynn said. This mismatch between cyber offense and defense is substantial, he said, and will be a fact of life for the immediate future.
A second attribute of the cyberthreat is the difficulty of finding out who launched the attack, Lynn said, noting a keystroke can fly around the world in seconds.
“The forensics of identifying an attacker can take weeks, months — or even years — if you can do it at all,” the deputy secretary said.
This situation, Lynn said, breaks down conventional deterrence strategy that was employed during the Cold War. “If you don’t know who to attribute an attack to, you can’t retaliate against that attack, so you can’t deter through the threat of punishment,” he said.
A third attribute, Lynn said, is that cyberwarfare is offense-dominant. The Internet, he said, was not developed with security in mind. Instead, he added, the Internet is open, transparent and encourages ease of technical innovation.
“Structurally, you will find the defender is always lagging behind the attacker in terms of developing measures and countermeasures,” Lynn said. “Adept programmers will always be able to find vulnerabilities and challenge security measures.”
Given the nature of the cyperthreat, Lynn said, DOD cannot adopt a bunker-type, defensive mentality — hunkered down behind a seemingly impenetrable wall, but in reality exposed to dangers.
“We need to be more innovative and active,” Lynn said.
The bottom line, he said, is that cyber is a new domain of warfare, like land, sea, air and space. The new domain needs policies, doctrine, planning, resources and strategy like the other domains, Lynn said, noting this is one reason why the department stood up U.S. Cyber Command in May.
Cyberdefenses need to be active, Lynn said. While computer hygiene and perimeter defenses will catch and stop about 80 percent of cyberthreats, he said, the final 20 percent need active defenses. So, DOD needs tools that search and hunt down cyberthreats inside networks, he added.
Lynn said the department also needs to participate in protections to critical infrastructure such as power grids, transport and financial networks. Though the Department of Homeland Security has the cyberdefense lead for the U.S. government, DOD can provide expertise when needed, he said.
Cyberdefense also is a shared activity, Lynn said, with the more attack signatures identified, the better the protection. Shared warning among allies –- a basis of Cold War strategy –- is just as important today, he said, noting the United States is sharing information with the United Kingdom, Australia and Canada.
The United States is now looking to NATO to expand that cyberdefense umbrella, the deputy secretary said, noting there will likely be a strong statement on cybersecurity during the November NATO summit in Lisbon, Portugal.
“We need to continue to leverage [the] U.S. technological base to retain the cyber advantage,” Lynn said. America also needs to use technical innovation to change the terms of the offense-defense equation, he added.
“Over time, we can develop techniques that will even out offense and defense to a greater degree than we see now,” Lynn said.
The Defense Advanced Research Projects Agency and other DOD organizations, he said, are looking at this offense-defense balance and ways it may be made more equal.
U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)