In March, a cyber attack on a defense company’s network captured 24,000 files containing Defense Department information.Deputy Defense Secretary William J. Lynn III announces the Defense Department’s Strategy for Operating in Cyberspace at National Defense University at Fort Lesley J. McNair in Washington, D.C., July 14, 2011. It is the department’s first unified strategy for operating in cyberspace.
Nations typically launch such attacks, Deputy Defense Secretary William J. Lynn III said today, but a growing risk of terrorist groups and rogue states developing similar capabilities drives the need to strengthen the nation’s cyber defenses. “All of the advanced capabilities we have, whether it’s targeting or navigation or communication, … have a backbone that’s run through information technology,” he said. “So if you’re a smart adversary and you’re seeking an asymmetric way to come at the United States, cyber will appear to you very, very quickly.”
Lynn spoke to Pentagon reporters about how the Defense Department’s new Strategy for Operating in Cyberspace counters such threats. Officials released an unclassified version of the strategy today.
Attacks in cyberspace are hard to trace to the source, which makes retaliation an ineffective strategy, Lynn said, noting that DOD’s approach is to harden defenses and reduce incentives for attacks. The strategy rests on five pillars, he said: treat cyber as a domain; employ more active defenses; support the Department of Homeland Security in protecting critical infrastructure networks; practice collective defense with allies and international partners; and reduce the advantages attackers have on the Internet.
The department established U.S. Cyber Command in May 2010 to address the Internet as a domain, just as it does land, sea, air and space. Cyber Command develops doctrine, training and equipment for cyber defense, Lynn said.“We have, within Cyber Command, a full spectrum of capabilities, but the thrust of the strategy is defensive,” Lynn said. “We think we need to be able to defend our networks just to maintain our offensive advantages in all of the other areas.” Lynn said the active defense facet of the strategy seeks to avoid a “Maginot Line” approach, focused only on the perimeter. “You want to be able to hunt on your own networks, to find things that get past the perimeter,” he said. “It’s a more dynamic approach to defense.”
Lynn said DOD is responsible for defending military networks, but the Department of Homeland Security is responsible for government networks and working with the private sector on defending critical infrastructure. But the Pentagon has an important role to play supporting Homeland Security’s efforts, Lynn said, because it relies on the power grid and the transportation and financial networks. “If we were in some sort of world where we were able to protect the military networks and the power grid went down, that would not be good militarily,” he said.
“We think that over time, research and development money might rebalance that somewhat and impose costs on the attacker,” Lynn said, offering as an example of promising technology the ability to encrypt data at rest without increasing processing time, which the Defense Advanced Research Projects Agency and private-sector companies are working to develop. “That’s the kind of thing that would … give more advantages to the defender. So if you broke in [to a network] you would then have to decrypt the data,” he said. “It’s a much, much harder problem for an attacker.”
In the 1980s and 1990s, DOD invested in high-performance computing for cryptanalysis and other military applications, Lynn noted.“That helped seed a whole industry,” he said. “It helped, I think, accelerate the development of technologies.” Similar advances can result from the department’s efforts now, he said, noting DOD’s cyber investment includes a half billion dollars in research funding for DARPA in the last budget. “We’ve got a very strong partnership with our defense industrial base now,” he said. “We have, I think, worked through processes where we’re sharing data, sharing an understanding of the threat … and that just strengthens everybody.”
Close cooperation among DOD, other agencies and private industry limits risk, Lynn said, because defenses can be put in place quickly to limit the spread of harmful attacks. DOD also coordinates with defense companies and the information technology industry through the enduring security framework, he said, which allows the department to solicit technical solutions to threats. “It’s a very soft touch,” he said. “This is a collaborative forum. … There’s no government direction in that, but we’ve seen several specific instances where they have indeed made upgrades based on the description of the threats.”
On the international front, the United States has reached agreements with NATO, as well as with individual nations, including the United Kingdom and Australia, Lynn said. “The White House just put out an international strategy with the idea of broadening that group of international partners,” he added. “There certainly are sovereignty issues,” Lynn said. “I think that’s where collective defense is a critical element. If you exchange information about the kinds of threats, the kinds of signatures you’re seeing, … you’re able to get early warning.”
By Karen Parrish, Lynn: Cyber Strategy’s Thrust is Defensive, American Forces Press Service, July 14, 2011 –