"The cyber exploitation being perpetrated against the defense industry cuts across a wide swath of crucial military hardware, extending from missile tracking systems and satellite navigation devices to UAVs (unmanned aerial vehicles) and the Joint Strike Fighter," Lynn said. "Current countermeasures have not stopped this outflow of sensitive information. We need to do more to guard our digital storehouses of design innovation."
In a press briefing after the speech, Lynn revealed that hackers believed to be backed by another nation obtained 24,000 Pentagon files related to systems being developed for the Defense Department during a single intrusion in March, one of the worst digital attacks against the DoD. Lynn didn't identify the contractor. "It was done, we think, by a foreign intelligence service," he said. "In other words, a nation-state was behind it. And we don't get into our understanding of exactly who that was."
In his speech, Lynn unveiled the first Department of Defense Strategy for Operating in Cyberspace, which takes a more active approach to not only defend military systems and networks but to safeguard American cyberspace. Lynn first outlined the five pillars of the new strategy last August (see DoD Unveils New Cyber Defense Strategy).
The Five PillarsThe strategy's five initiatives include:
- Treat cyberspace as an operational domain to organize, train and equip so that DoD can take full advantage of cyberspace's potential. This initiative allows DoD to approach cyberspace as it does in air, land, maritime and space to support national security interests.
- Employ new defense operating concepts to protect DoD networks and systems. To achieve this initiative, DoD will enhance its cyber hygiene best practices; strengthen its workforce communications, workforce accountability, internal monitoring and information management capabilities; employ active cyber defenses to prevent network and systems intrusions and develop new defense operating concepts and computing architectures.
- Partner with other federal departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy. DoD last year implemented a program with the Department of Homeland Security to safeguard cyberspace (see DHS, DoD to Tackle Jointly Cyber Defense). DoD says it's establishing a pilot public-private sector partnership to show the feasibility and benefits of voluntarily opting into increased sharing of information about malicious or unauthorized cyber activity and protective cybersecurity measures (see Gov't Pilot Program Protects Defense Industry).
- Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity. Lynn, the primary Defense Department cybersecurity champion, has traveled the past two years to Australia, Britain and Canada, meeting with our allies, including NATO, to engage them in a cooperative cyberdefense. The strategy says DoD's international engagements support the administration's International Strategy for Cyberspace and the president's commitment to fundamental freedoms, privacy and the free flow of information (see White House Unveils Int'l Cybersecurity Strategy ).
- Leverage the nation's ingenuity through an exceptional cyber workforce and rapid technological innovation. The Pentagon will marshal American scientific, academic and economic resources to build a pool of talented civilian and military personnel to operate in cyberspace to achieve DoD objectives.
"Our responsibility is to acknowledge this new environment and adapt our security instruments to it. That is the purpose of the DoD cyber strategy," Lynn said. "We must prepare. We must recognize the interconnectedness of cyber. And we must be mindful of the many ways cyberspace is used - as a peaceful instrument of global communications, as a tool for economic growth - and, also, as an instrument to threaten and sometimes cause harm."
Rep. James Langevin, D-R.I., said the strategy sends a message to America's domestic and international partners about the military's stature on the Internet. Still, the strategy raises question DoD needs to flesh out, said Langevin, co-chair of the Commission on Cybersecurity for the 44th Presidency and the Congressional Cybersecurity Caucus.
"What are acceptable red lines for actions in cyberspace and what resources can and will the Defense Department provide to the Department of Homeland Security, private companies and international partners to enable their own defense?" Langevin asked. "Does data theft or disruption rise to the level of warfare or do we have to see a physical event, such as an attack on our power grid, before we respond militarily?"