Lynn Outlines New Cybersecurity Effort

PARIS, June 16, 2011 — Deputy Defense Sec­re­tary William J. Lynn III out­lined a pilot pro­gram here today in which the gov­ern­ment helps the defense indus­try in safe­guard­ing the infor­ma­tion their com­put­er sys­tems hold.

In a keynote address at the Cen­ter for Strate­gic Deci­sion Research’s 28th Inter­na­tion­al Work­shop on Glob­al Secu­ri­ty, Lynn described Defense Indus­tri­al Base Cyber Pilot — called “DIB Cyber Pilot” for short — in which the Defense Depart­ment, in part­ner­ship with the Depart­ment of Home­land Secu­ri­ty, shares clas­si­fied threat infor­ma­tion and the know-how to employ it with par­tic­i­pat­ing defense com­pa­nies or their Inter­net ser­vice providers to help them in defend­ing their com­put­er net­works from attack or exploita­tion.

“Our defense indus­tri­al base is crit­i­cal to our mil­i­tary effec­tive­ness. Their net­works hold valu­able infor­ma­tion about our weapons sys­tems and their capa­bil­i­ties,” Lynn said. “The theft of design data and engi­neer­ing infor­ma­tion from with­in these net­works great­ly under­mines the tech­no­log­i­cal edge we hold over poten­tial adver­saries.”

Cur­rent coun­ter­mea­sures have slowed exploita­tion of U.S. defense indus­try net­works, but haven’t stopped it, the deputy sec­re­tary told the audi­ence, lead­ing to DIB Cyber Pilot’s estab­lish­ment last month with a hand­ful of defense-indus­try com­pa­nies, all of which vol­un­teered for the pro­gram.

“By fur­nish­ing net­work admin­is­tra­tors with this threat intel­li­gence,” he said, “we will be able to strength­en the exist­ing cyber defens­es at defense com­pa­nies.”

Lynn empha­sized that the gov­ern­ment will not mon­i­tor, inter­cept or store any pri­vate-sec­tor com­mu­ni­ca­tions through the pro­gram. Rather, he said, threat intel­li­gence pro­vid­ed by the gov­ern­ment is help­ing the com­pa­nies them­selves, or the Inter­net ser­vice providers work­ing on their behalf, to iden­ti­fy and stop mali­cious activ­i­ty with­in their net­works. The pilot is vol­un­tary for all par­tic­i­pants, he added.

Lynn expressed the hope that DIB Cyber Pilot could serve as an exam­ple of how a larg­er effort aimed at pro­tect­ing the nation’s crit­i­cal infra­struc­ture — its pow­er grid, trans­porta­tion sys­tem, finan­cial sys­tem and oth­er com­po­nents — might work.

“Although this pilot breaks new ground on sev­er­al fronts, we have a long way to go, and a lot of work to do, before our crit­i­cal infra­struc­ture will be ful­ly secure,” he said. “But by estab­lish­ing a law­ful and effec­tive frame­work for the gov­ern­ment to help oper­a­tors of one crit­i­cal infra­struc­ture sec­tor defend their net­works, we hope the DIB Cyber Pilot can be the begin­ning of some­thing big­ger. It could serve as a mod­el that can be trans­port­ed to oth­er crit­i­cal infra­struc­ture sec­tors, under the lead­er­ship of the Depart­ment of Home­land Secu­ri­ty.”

Mean­while, Lynn said, attacks on mil­i­tary net­works pose a grow­ing threat.

“Infor­ma­tion tech­nolo­gies have rev­o­lu­tion­ized how our mil­i­taries orga­nize, train and equip,” he said. “They are at the core of our most impor­tant mil­i­tary capa­bil­i­ties:
com­mu­ni­ca­tions, com­mand and con­trol, nav­i­ga­tion, and intel­li­gence, sur­veil­lance and recon­nais­sance. But for all the mil­i­tary capa­bil­i­ty that infor­ma­tion tech­nol­o­gy enables, it also intro­duces vul­ner­a­bil­i­ties.

“We learned this les­son in 2008 when a for­eign intel­li­gence agency used a thumb dri­ve to pen­e­trate our clas­si­fied com­put­er sys­tems — some­thing we thought was impos­si­ble,” he con­tin­ued. “It was our worst fear: a rogue pro­gram oper­at­ing silent­ly on our sys­tem, poised to deliv­er oper­a­tional plans into the hands of an ene­my.”

Net­work exploita­tion — the theft of data from both gov­ern­ment and com­mer­cial net­works — has been the most preva­lent cyber threat to date, Lynn said. For­eign intel­li­gence ser­vices have stolen mil­i­tary plans and weapons sys­tems designs, and valu­able source code and intel­lec­tu­al prop­er­ty has been stolen from busi­ness and uni­ver­si­ties. Recent intru­sions at the Inter­na­tion­al Mon­e­tary Fund, Lock­heed Mar­tin and Citibank join oth­ers in the oil and gas sec­tor, at Nas­daq and at Google as fur­ther, trou­bling instances of a wide­spread and seri­ous phe­nom­e­non, he added.

“This kind of cyber exploita­tion does not have the dra­mat­ic impact of a con­ven­tion­al mil­i­tary attack,” Lynn said. “But over the long term, it has a cor­ro­sive effect that in some ways is more dam­ag­ing. It blunts our edge in mil­i­tary tech­nol­o­gy and saps our com­pet­i­tive­ness in the glob­al econ­o­my.”

Though exploita­tion has been the most com­mon type of attack, the deputy sec­re­tary said, net­work dis­rup­tion has emerged as a sec­ond cyber threat. In this type of attack, he explained, intrud­ers seek to deny or degrade the use of impor­tant gov­ern­ment or com­mer­cial net­works. Such attacks occurred against Esto­nia in 2007 and against Geor­gia in 2008, he added, and an attack tar­get­ing eBay and Pay­Pal was along sim­i­lar lines.

“To this point, the dis­rup­tive attacks we have seen are rel­a­tive­ly unso­phis­ti­cat­ed in nature, large­ly reversible, and short in dura­tion,” Lynn said. “But in the future, more capa­ble adver­saries could poten­tial­ly immo­bi­lize net­works on an even wider scale, for longer peri­ods of time.”

A third type of cyber attack — destruc­tion — is the most dan­ger­ous because it uses cyber tools to cause phys­i­cal dam­age, Lynn said.

“This devel­op­ment — which would mark a strate­gic shift in the cyber threat — is only just emerg­ing,” he said. “But when you look at what tools are avail­able, it is clear that this capa­bil­i­ty exists. It is pos­si­ble to imag­ine attacks on mil­i­tary net­works or on crit­i­cal infra­struc­ture like the trans­porta­tion sys­tem and ener­gy sec­tor that cause severe eco­nom­ic dam­age, phys­i­cal destruc­tion or even loss of life.”

Lynn acknowl­edged the pos­si­bil­i­ty that a destruc­tive cyber attack might nev­er take place.

“Regret­tably, how­ev­er, few weapons in the his­to­ry of war­fare, once cre­at­ed, have gone unused,” he added. “For this rea­son, we must have the capa­bil­i­ty to defend against the full range of cyber threats.”

As the cyber threat con­tin­ues to move up a lad­der of esca­la­tion from exploita­tion to dis­rup­tion and, ulti­mate­ly, to destruc­tion, Lynn said, the groups that pos­sess these capa­bil­i­ties also are like­ly to expand in dan­ger­ous direc­tions.

The high­est lev­els of cyber capa­bil­i­ties reside almost entire­ly in sophis­ti­cat­ed nation-states, and so far, they pri­mar­i­ly have deployed their capa­bil­i­ties to exploit and occa­sion­al­ly dis­rupt net­works, rather than to destroy them, Lynn said.

“Although we can­not dis­miss the threat of a rogue state lash­ing out, most nations have no more inter­est in con­duct­ing a destruc­tive cyber attack against us than they do a con­ven­tion­al mil­i­tary attack,” he said. “The risk for them is too great. Our mil­i­tary pow­er pro­vides a strong deter­rent. … We nev­er­the­less must pre­pare for the like­li­hood that cyber attacks will be part of any future con­ven­tion­al con­flict. We need cyber capa­bil­i­ties that will allow us to deter and to defend against the most skilled nation-state.”

How­ev­er, Lynn added, the threat of a ter­ror­ist group gain­ing dis­rup­tive or destruc­tive cyber capa­bil­i­ties may be the greater and more imme­di­ate con­cern.

“Al-Qai­da, which has vowed to unleash cyber attacks, has not yet done so,” he said. “But it is pos­si­ble for a ter­ror­ist group to devel­op cyber attack tools on their own or to buy them on the black mar­ket. The nature of cyber is that a cou­ple dozen tal­ent­ed pro­gram­mers, using off-the-shelf equip­ment, can inflict a lot of dam­age. More­over, with few tan­gi­ble assets to lose in a con­fronta­tion, ter­ror­ists groups are very dif­fi­cult to deter.

“We have to assume that in cyber, as in oth­er areas, if ter­ror­ists have the means to strike, they will do so,” Lynn added.

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter