Lynn Gains IT Industry’s Cybersecurity Perspective

SAN FRANCISCO, Feb. 16, 2011 — Deputy Defense Sec­re­tary William J. Lynn III returned yes­ter­day from a two-day cyber­se­cu­ri­ty-focused trip here that includ­ed a keynote speech and meet­ings with indus­try lead­ers.
Through­out his vis­it, Lynn focused on com­mu­ni­cat­ing with infor­ma­tion tech­nol­o­gy pro­fes­sion­als, whom he terms crit­i­cal to nation­al efforts to pro­tect key defense and eco­nom­ic net­works.

The long-term objec­tive for cyber­se­cu­ri­ty, Lynn not­ed, is to impose “more costs” on cyber attack­ers with­out depriv­ing the Inter­net of its dynamism.

“Across the board, we heard from all of these com­pa­nies that this is pos­si­ble,” he said. “It’s not fast. It’s not like we can put a patch out. This is a more fun­da­men­tal re-engi­neer­ing, but I think it is pos­si­ble with­out huge dis­rup­tion.”

Dur­ing a speech at the RSA Con­fer­ence 2011 and in meet­ings with exec­u­tives from small tech start-up com­pa­nies and infor­ma­tion tech­nol­o­gy giants such as Intel, Google and Microsoft, the deputy sec­re­tary stressed a few key themes:

— Threats to the cyber domain are var­ied and will increase;

— Action now can main­tain the nation’s mil­i­tary and eco­nom­ic edge in that domain; and

— A com­bined whole-of-gov­ern­ment and indus­try effort is nec­es­sary in the cyber­se­cu­ri­ty effort.

“The [cyber] threat is still matur­ing,” Lynn told reporters at the con­fer­ence, which brought togeth­er thou­sands of secu­ri­ty, crypt­an­a­lyst and infor­ma­tion tech­nol­o­gy pro­fes­sion­als.

Though the threat cur­rent­ly is lim­it­ed most­ly to exploita­tion and dis­rup­tion efforts, Lynn said dur­ing his speech, the capa­bil­i­ty for destruc­tive attacks exists. He added that on the exploita­tion front, more than 100 for­eign intel­li­gence ser­vices have launched attempts to infil­trate Defense Depart­ment net­works.

Dis­rup­tion or denial-of-ser­vice attacks are a more ele­vat­ed cyber threat, he said. Lynn cit­ed such attacks in Esto­nia in 2007 and the for­mer Sovi­et repub­lic of Geor­gia in 2008, and, more recent­ly, a hack­er group’s tar­get­ing of eBay and Pay­Pal as prime exam­ples of such attacks.

Destruc­tive attacks, using cyber tools to cause phys­i­cal dam­age, are emerg­ing only now as a threat, the deputy sec­re­tary said.

“The threat we see today is prob­a­bly not the threat we’re going to see tomor­row,” Lynn said. “We need to get ahead of that game.”

The cyber threat is like­ly to increase in two direc­tions, Lynn said: up the lad­der of esca­la­tion from exploita­tion to destruc­tion, and from nation-states to non­state actors.

“We’re at this tran­si­tion point now, which actu­al­ly gives us a lit­tle time where the most destruc­tive capa­bil­i­ties are not in the hands of the peo­ple who would be most like­ly to use them,” he said. That addi­tion­al time offers a chance to strength­en the cyber domain against devel­op­ing threats, he added.

Lynn empha­sized the need for urgency in devel­op­ing a strat­e­gy and get­ting cyberde­fense capa­bil­i­ties in place. The deputy sec­re­tary also reit­er­at­ed anoth­er key point from his speech: cyberde­fense can­not be likened to tra­di­tion­al mil­i­tary mis­sions, such as air defense.

Cyber and much of the crit­i­cal infra­struc­ture it touch­es — such as pow­er grids and trans­porta­tion net­works — is large­ly in the pri­vate sec­tor, he not­ed.

“We need this pub­lic-pri­vate part­ner­ship, and we need a part­ner­ship across the whole of gov­ern­ment,” he said.

Lynn point­ed out that the Defense Depart­ment plays a sup­port­ing role with­in U.S. bor­ders.

DOD has capa­bil­i­ties, but in terms of pro­tect­ing crit­i­cal infra­struc­ture, the lead agency there is the Depart­ment of Home­land Secu­ri­ty,” he said. “We work through them, just as we do on hur­ri­cane relief.”

Lynn said his meet­ings here this week with infor­ma­tion tech­nol­o­gy pio­neers offered an oppor­tu­ni­ty to seek industry’s views on “chang­ing the bal­ance” in an IT infra­struc­ture that now favors attack­ers.

Alter­ing the Internet’s offense-defense bal­ance will take a num­ber of years, the deputy sec­re­tary said, but he added that he is encour­aged that indus­try lead­ers told him soft­ware and hard­ware tech­nolo­gies are avail­able that can help in achiev­ing that objec­tive.

“In the inter­im, we’re pur­su­ing robust defens­es,” he said.

Lynn, who has made cyber­se­cu­ri­ty a pri­or­i­ty in his inter­ac­tions with oth­er mil­i­taries, NATO part­ners and pri­vate indus­try, received the 2011 RSA Con­fer­ence award for excel­lence in pub­lic pol­i­cy.

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter