Lynn: Cyberwarfare Extends Scope of Conflict

WASHINGTON, Oct. 1, 2010 — Infor­ma­tion tech­nol­o­gy, and the world’s reliance on it, has rede­fined the front lines of nation­al secu­ri­ty, Deputy Defense Sec­re­tary William J. Lynn III said at the Coun­cil on For­eign Rela­tions in New York City yes­ter­day.

“Any major future con­flict will almost cer­tain­ly include ele­ments of cyber­war­fare,” he said. “And the threat posed by cyber­war­fare extends far beyond mil­i­tary oper­a­tions – it extends to the very heart of our econ­o­my.”

The depart­ment was always aware of the threats posed by hack­ers, nation states or ter­ror groups in the cyber­world, but DOD expe­ri­enced a wake-up call in 2008 when an intru­sion into mil­i­tary net­works extend­ed to the clas­si­fied realm.

“Up to that point, we did not think our clas­si­fied net­works could be pen­e­trat­ed,” Lynn said.

The com­pro­mise, he said, occurred when some­one in the Mid­dle East used a thumb dri­ve to trans­fer data from the unclas­si­fied net­work to the clas­si­fied net­work. The depart­ment launched Oper­a­tion Buck­shot Yan­kee to repair the breach and spent a lot of time, ener­gy and mon­ey to rem­e­dy the sit­u­a­tion. The attack led to a new approach to cyber secu­ri­ty in the Pen­ta­gon, Lynn said.

Lynn expand­ed on a recent arti­cle he wrote for the council’s For­eign Affairs mag­a­zine. He detailed the attrib­ut­es of the threats in cyber­space. First, he said, cyber is an asym­met­ric threat. It costs very lit­tle to devel­op a cyberthreat, while defend­ing against it costs quite a lot. He gave an exam­ple.

“Some of the most sophis­ti­cat­ed defense soft­wares that are com­mer­cial­ly avail­able now have between 5 mil­lion and 10 mil­lion lines of code,” he said. “They are mas­sive, work inten­sive, dif­fi­cult prod­ucts to devel­op.”

How­ev­er, “the aver­age mal­ware has stayed con­stant over the last decade at 170 lines of code,” Lynn said. This mis­match between cyber offense and defense is sub­stan­tial, he said, and will be a fact of life for the imme­di­ate future.

A sec­ond attribute of the cyberthreat is the dif­fi­cul­ty of find­ing out who launched the attack, Lynn said, not­ing a key­stroke can fly around the world in sec­onds.

“The foren­sics of iden­ti­fy­ing an attack­er can take weeks, months — or even years — if you can do it at all,” the deputy sec­re­tary said.

This sit­u­a­tion, Lynn said, breaks down con­ven­tion­al deter­rence strat­e­gy that was employed dur­ing the Cold War. “If you don’t know who to attribute an attack to, you can’t retal­i­ate against that attack, so you can’t deter through the threat of pun­ish­ment,” he said.

A third attribute, Lynn said, is that cyber­war­fare is offense-dom­i­nant. The Inter­net, he said, was not devel­oped with secu­ri­ty in mind. Instead, he added, the Inter­net is open, trans­par­ent and encour­ages ease of tech­ni­cal inno­va­tion.

“Struc­tural­ly, you will find the defend­er is always lag­ging behind the attack­er in terms of devel­op­ing mea­sures and coun­ter­mea­sures,” Lynn said. “Adept pro­gram­mers will always be able to find vul­ner­a­bil­i­ties and chal­lenge secu­ri­ty mea­sures.”

Giv­en the nature of the cyper­threat, Lynn said, DOD can­not adopt a bunker-type, defen­sive men­tal­i­ty — hun­kered down behind a seem­ing­ly impen­e­tra­ble wall, but in real­i­ty exposed to dan­gers.

“We need to be more inno­v­a­tive and active,” Lynn said.

The bot­tom line, he said, is that cyber is a new domain of war­fare, like land, sea, air and space. The new domain needs poli­cies, doc­trine, plan­ning, resources and strat­e­gy like the oth­er domains, Lynn said, not­ing this is one rea­son why the depart­ment stood up U.S. Cyber Com­mand in May.

Cyberde­fens­es need to be active, Lynn said. While com­put­er hygiene and perime­ter defens­es will catch and stop about 80 per­cent of cyberthreats, he said, the final 20 per­cent need active defens­es. So, DOD needs tools that search and hunt down cyberthreats inside net­works, he added.

Lynn said the depart­ment also needs to par­tic­i­pate in pro­tec­tions to crit­i­cal infra­struc­ture such as pow­er grids, trans­port and finan­cial net­works. Though the Depart­ment of Home­land Secu­ri­ty has the cyberde­fense lead for the U.S. gov­ern­ment, DOD can pro­vide exper­tise when need­ed, he said.

Cyberde­fense also is a shared activ­i­ty, Lynn said, with the more attack sig­na­tures iden­ti­fied, the bet­ter the pro­tec­tion. Shared warn­ing among allies –- a basis of Cold War strat­e­gy –- is just as impor­tant today, he said, not­ing the Unit­ed States is shar­ing infor­ma­tion with the Unit­ed King­dom, Aus­tralia and Cana­da.

The Unit­ed States is now look­ing to NATO to expand that cyberde­fense umbrel­la, the deputy sec­re­tary said, not­ing there will like­ly be a strong state­ment on cyber­se­cu­ri­ty dur­ing the Novem­ber NATO sum­mit in Lis­bon, Por­tu­gal.

“We need to con­tin­ue to lever­age [the] U.S. tech­no­log­i­cal base to retain the cyber advan­tage,” Lynn said. Amer­i­ca also needs to use tech­ni­cal inno­va­tion to change the terms of the offense-defense equa­tion, he added.

“Over time, we can devel­op tech­niques that will even out offense and defense to a greater degree than we see now,” Lynn said.

The Defense Advanced Research Projects Agency and oth­er DOD orga­ni­za­tions, he said, are look­ing at this offense-defense bal­ance and ways it may be made more equal.

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter