Lynn Urges Partnership Against Cyber Threat

SAN FRANCISCO, Feb. 15, 2011 — Gov­ern­ment and indus­try must work more close­ly togeth­er to counter the grow­ing threat to the nation’s cyber net­works, Deputy Defense Sec­re­tary William J. Lynn told infor­ma­tion tech­nol­o­gy pro­fes­sion­als here today.
The Defense Depart­ment and oth­er fed­er­al depart­ments and agen­cies need to pur­sue or expand avenues in infor­ma­tion shar­ing, strength­en­ing net­work archi­tec­ture, and extend­ing government’s net­work defens­es to pri­vate net­works key to nation­al secu­ri­ty and the econ­o­my, he said dur­ing a keynote speech at the annu­al RSA Con­fer­ence for Inter­net secu­ri­ty.

Lynn told thou­sands gath­ered for the con­fer­ence that the pri­vate sector’s role in defend­ing the cyber domain is crit­i­cal. Unlike the sea, air, land and space domains, cyber is not an area where mil­i­tary pow­er alone can dom­i­nate, he said.

“The over­whelm­ing per­cent­age of our nation’s crit­i­cal [infor­ma­tion] infra­struc­ture, includ­ing the Inter­net itself, is in pri­vate hands,” Lynn not­ed. It will take the country’s “vast tech­no­log­i­cal and human resources to ensure the Unit­ed States retains its pre­em­i­nent capa­bil­i­ties in cyber­space, as it does in all the oth­er domains,” he said.

Telecom­mu­ni­ca­tions providers have “unpar­al­leled vis­i­bil­i­ty” into glob­al net­works and often pos­sess the best oper­a­tional capac­i­ty to respond to sys­tem assaults, Lynn said. “They can detect attacks tran­sit­ing their sys­tems, and in many cas­es, alert cus­tomers,” he added.

Infor­ma­tion-shar­ing efforts are well under­way, with indus­try and gov­ern­ment exec­u­tives meet­ing reg­u­lar­ly as part of a part­ner­ship known as the Endur­ing Secu­ri­ty Frame­work, Lynn said. The frame­work “not only helps iden­ti­fy vul­ner­a­bil­i­ties, it also mobi­lizes gov­ern­ment and indus­try exper­tise to address secu­ri­ty risks before harm is done,” he said.

More work is need­ed, the deputy sec­re­tary said, because net­work attack­ers have an inher­ent advan­tage. Because the Inter­net was designed to be open and inter­op­er­a­ble, secu­ri­ty and iden­ti­ty man­age­ment were sec­ondary in its design.

“You can see just how sig­nif­i­cant this advan­tage is by com­par­ing anti-virus soft­ware to the mal­ware it’s designed to defeat,” Lynn said. “Sophis­ti­cat­ed anti-virus suites now run on about 10 mil­lion lines of code … up from one mil­lion lines in only a decade. Yet mal­ware writ­ten with as lit­tle as 125 lines of code has remained able to pen­e­trate anti-virus soft­ware across this same peri­od.”

Gov­ern­ment agen­cies need the sci­en­tif­ic com­mu­ni­ty to help strength­en net­work archi­tec­ture, he said.

“We must embed high­er lev­els of secu­ri­ty and authen­ti­ca­tion in hard­ware, oper­at­ing sys­tems, and net­work pro­to­cols,” Lynn said. The Nation­al Strat­e­gy for Trust­ed Iden­ti­ties in Cyber­space, a White House ini­tia­tive, “will lay one build­ing block of this more secure future,” he said.

“It will take the course of a gen­er­a­tion to have a real oppor­tu­ni­ty to engi­neer our way out of some of the most prob­lem­at­ic vul­ner­a­bil­i­ties of today’s tech­nol­o­gy,” he said.

To spur secu­ri­ty improve­ments, the Defense Depart­ment is adding $500 mil­lion for new research in cyber tech­nolo­gies, with a focus on areas like cloud com­put­ing, vir­tu­al­iza­tion, and encrypt­ed pro­cess­ing, Lynn said. The depart­ment also is pro­vid­ing seed cap­i­tal to com­pa­nies through its “Cyber Accel­er­a­tor” pilot pro­gram to pro­duce dual-use tech­nolo­gies that address cyber secu­ri­ty needs, he said.

The depart­ment must speed its adop­tion of these new tech­nolo­gies, Lynn said.

“It cur­rent­ly takes the Pen­ta­gon 81 months to field a new infor­ma­tion tech­nol­o­gy sys­tem. The iPhone was devel­oped in just 24 months,” he said. “We have to close this gap, and Sil­i­con Val­ley can help us.”

The Pen­ta­gon will expand its Infor­ma­tion Tech­nol­o­gy Exchange Pro­gram, which man­ages tem­po­rary “job-swaps” between the depart­ment and indus­try IT experts, he announced.

“We want senior IT man­agers in the depart­ment to incor­po­rate more com­mer­cial prac­tices,” he said. “And we want sea­soned indus­try pro­fes­sion­als to expe­ri­ence, first-hand, the unique chal­lenges we face at DOD.”

Lynn also announced that DOD is begin­ning a pro­gram to max­i­mize its use of cyber exper­tise with­in the Nation­al Guard and Reserve.

Many reservists have a high lev­el of IT knowl­edge they use in their civil­ian jobs, Lynn said. To make bet­ter use of those skills, he added, DOD will increase the num­ber of Guard and Reserve units ded­i­cat­ed to cyber mis­sions.

At the same time, the depart­ment is work­ing to extend its exper­tise to indus­try.

“Because of our intel­li­gence capa­bil­i­ties, gov­ern­ment has a deep and unique aware­ness of cer­tain cyber threats,” he said. “Through clas­si­fied threat-based infor­ma­tion, and the tech­nol­o­gy we have devel­oped to employ it in net­work defense, we can sig­nif­i­cant­ly increase the effec­tive­ness of cyber secu­ri­ty prac­tices that indus­try is already car­ry­ing out.”

The depart­ment already shares some unclas­si­fied threat infor­ma­tion with defense com­pa­nies that have net­works con­tain­ing sen­si­tive infor­ma­tion, Lynn said. He added that a press­ing pol­i­cy ques­tion remains as to whether clas­si­fied sig­na­tures and their sup­port­ing tech­nol­o­gy should be shared across the full range of indus­tri­al sec­tors sup­port­ing the mil­i­tary and the econ­o­my.

“The real chal­lenge, at this point, is devel­op­ing the legal and pol­i­cy frame­work to do so,” he said.

Secur­ing the nation’s net­works will require unprece­dent­ed indus­try and gov­ern­ment coop­er­a­tion, Lynn said.

“With the threats we face, work­ing togeth­er is not only a nation­al imper­a­tive,” he said. “It is also one of the great tech­ni­cal chal­lenges of our time.”

U.S. Depart­ment of Defense
Office of the Assis­tant Sec­re­tary of Defense (Pub­lic Affairs)

More news and arti­cles can be found on Face­book and Twit­ter.

Fol­low on Face­book and/or on Twit­ter