Collective Cyber Defense: Int'l Synergy a MustCasting the Widest Net to Identify Cyberattack Markers
Deputy Defense Secretary William Lynn III, speaking to Australian government and civic leaders at the Maritime Museum in Sydney on Saturday, also said a primary purpose of a joint cyber defense is to safeguard global business competitiveness. "The private sector is also on the front lines," he said.
The text of Lynn's remarks can be found at the end of this article.
* * *
Through cooperation, Lynn said, the United States and its allies can cast the widest net possible to identify the markers of cyberattacks. "Put simply," he said, "international cooperation is imperative for establishing the chain of events in an intrusion, and quickly and decisively fighting back. Because of the difficulty in attribution, the reality is that we cannot defend our networks by ourselves."
Lynn noted that the U.S. and Australia already cooperate on cybersecurity. "But far greater attention and resources are needed on both sides of the Pacific if we are to stay ahead of the cyber threat," he said. "We need stronger agreements to facilitate the sharing of information, technology, and intelligence. We need to develop a shared cyber doctrine that allows us to work fluidly with each other and with our other allies. And we need to train together, in the field and through tabletop exercises at headquarters."
Deputy Defense Secretary William Lynn, left, meets with Australian officials.
"Making networks safer will ultimately require pushing down software that can detect patterns of threatening activity to a large number of users," Lynn said. "But attack vectors and signatures of cyber threats are often classified. Monitoring networks similarly involves active and passive forms of surveillance. But we must also ensure surveillance regimes respect civil liberties and protect private intellectual property."
Lynn also said how the private sector will organize itself to defend against the cyber threat is also unresolved. "Existing technologies can thwart a majority of cyber attacks, but defenses are expensive and burdensome," he said. "Although many industries have made a major investment in defensive capabilities, not everyone is able to make that kind of investment on their own. How then do we put in place the appropriate incentives to motivate private investment in cyber defenses?"
Cyber Threat: Most Perilous Challenge
What follows are Lynn's prepared remarks delivered at a roundtable on cybersecurity with Australian business and civic leaders.
We live in a world where terrorists and rogue states now have access to advanced capabilities, where make-shift bombs used by insurgents penetrate even the most advanced armor, and where small investments in specific technologies can inhibit our ability to operate in global commons on the seas, in the air, in space and in cyberspace.
So we are investing in new tools. Our countries are jointly developing IED (improvised Explosive device) countermeasures, intelligence, surveillance and reconnaissance platforms and submarine technology. And with the U.S.-Australian Defense Trade Cooperation Treaty finally moving toward ratification, we are hopeful that our ability to develop and acquire battlefield systems will soon benefit from streamlined export control measures.
But many challenges remain. One of the most perilous of these is the cyber threat. And that is the topic I want to focus on with you today.
I'm often asked what keeps me up at night. Number one is the cyber threat. If we don't maintain our capabilities to defend our networks in the face of an attack, the consequences for our security will be dire.
Each of our countries has relied upon the great oceans that surround us to shield us from attack. However, our natural geographic defenses are of no use with cyber attacks.
The Internet is magical in its ability to connect us to others. But it is also a two-way street. It gives us access to the world, but also connects the world to us. And the internet transports a keystroke half around the globe in 300 millisecond.
Over the past 10 years, the frequency and sophistication of attacks have increased exponentially. Our networks are under threat every hour of every day. They are probed thousands of times a day. They are scanned millions of time a day. And we have not always been so successful in stopping intrusions or determining where they come from.
Foreign Spies Hacking U.S. Systems
More than 100 foreign intelligence organizations are trying to hack into U.S. systems. Foreign militaries are developing offensive cyber capabilities. And some governments already have the capacity to disrupt elements of the U.S. information infrastructure. We even see criminals who have world-class cyber capabilities.
Not even our President has been spared. During the presidential campaign in 2008, hackers gained access to campaign files of Barack Obama. Policy papers, travel plans, and sensitive emails were all compromised. The intrusion was eventually detected and repelled, but not before sensitive information was taken.
For all these reasons the President has called the cyber threat one of the "most serious economic and national security challenges we face as a nation."
The Australian military and economy are just as dependent upon information technology as ours and therefore just as vulnerable to the cyber threat. Last year alone, Australia experienced 2400 assaults on its military networks, and an equal number against other government networks.
So the cyber threat is a very real one for both our militaries. It is also, I am afraid, a threat to our economies, to both our critical infrastructural and to our intellectual property.
Computer security professionals have known for a long time that information stored on office networks is subject to theft and corporate espionage. After the announcement by Google that it and over 30 other companies were subject to unprecedented cyber intrusions last month, many more people know this too.
The threat is so pervasive that a new computer, if unprotected, can be scanned within seconds and infected with malware within minutes.
The sheer volume of intellectual property vanishing through cyber intrusions is staggering. Our national Library of Congress holds more scholarly material than has ever been brought together in all of history, yet an amount of intellectual property many times larger is stolen each year from networks maintained by U.S. businesses, universities, and government agencies. And the problem extends far beyond the U.S. All developed countries that make use of information technology are affected.
Nation-States Behind Attacks
The threat comes not only from individuals and criminal syndicates. It also comes from nation-states. In fact, in the first survey of its kind, 600 IT security executives from around the world were asked about cyber vulnerabilities in their businesses. More than half believe they have already been attacked by sophisticated government intruders.
In response to the growing number of intrusions, allied governments have sounded the alarm. Two years ago, the UK warned British financial institutions and other businesses of a specific threat to their operations. And last month, Secretary of State Hillary Clinton called for the Chinese government to investigate the cyber intrusions that affected Google, which our National Security Agency is helping investigate.
I am here to tell you that the threat is real, that it is here today, and that countering it will take a concerted effort, by both business and government, over many years.
Over the past ten years we have built layered and robust cyber defenses around our military networks. With 15,000 networks and 7 million computing devices used by our Department, we have formally recognized cyberspace for what it is -- a domain similar to land, sea, air and space. A domain that we depend upon and must protect.
We are in the process of standing up a dedicated Cyber Command. And like your own defense whitepaper, our Quadrennial Defense Review recognizes cyber as a priority area.
Australia has also taken a lead in centrally organizing its cyber defenses. You have established the new Cybersecurity Operations Center in the Department of Defense. With 50 security analysts, software engineers, and scientists on 24-hour alert and many more to come the operations center embodies Australia's commitment to face the cyber threat. Because people refer to it by its acronym CSOC you can tell it is already an accepted part of department operations.
But there is much more that needs to be done. And I am here today because we can only succeed at protecting our networks by working together.
2-Step Approach to Securing Critical IT
To strengthen our military and our private sector networks, we need to take two interrelated steps.
First, we need to enhance still further how our governments and militaries cooperate on cyber defense.
There is strong logic to collective cyber defense.
Knowing who your adversary is, and what they've already done, is a key part of mounting an effective response. Yet determining where the attacks originate from, and who is responsible, is among the most difficult challenges we face.
It is always best when searching for markers of attacks to cast the widest net possible. Put simply, international cooperation is imperative for establishing the chain of events in an intrusion, and quickly and decisively fighting back. Because of the difficulty in attribution, the reality is that we cannot defend our networks by ourselves.
We have already partnered extensively with your government to respond to intrusions against our military networks. Many of our computer defenses are already linked. But far greater attention and resources are needed on both sides of the Pacific if we are to stay ahead of the cyber threat.
We need stronger agreements to facilitate the sharing of information, technology, and intelligence. We need to develop a shared cyber doctrine that allows us to work fluidly with each other and with our other allies. And we need to train together, in the field and through tabletop exercises at headquarters.
I am working on each of these issues on this visit. I will be meeting with Minister Faulkner on Tuesday. And we anticipate conducting a cyber exercise later this year. There is a second step we must take.
Businesses On the Front Line
Although we have charted a clear course on the military front, one of the most crucial needs going forward is securing private sector networks against sophisticated attacks attacks that ordinary countermeasures and anti-virus software will not defeat, and that, if successful, would threaten our critical infrastructure and global business competitiveness.
We must take the steps necessary to organize our governments to assist the private sector in this task.
Years of concerted investment on the military side in the U.S., Australia, the UK, and Canada has placed much of our cyber defense capabilities within our militaries and intelligence agencies. But the private sector is also on the front lines.
Here in Australia you now have a national Computer Emergency Response Team, which, if called upon, helps businesses respond to sophisticated intrusions. Establishing a dedicated team focused on high-end cybercrime and commercial espionage lays the foundation for a regularized way of cooperating with the private sector.
But no matter what the organizational formula is, using government tools to protect private networks raises difficult practical and legal questions.
Making networks safer will ultimately require pushing down software that can detect patterns of threatening activity to a large number of users. But attack vectors and signatures of cyber threats are often classified. Monitoring networks similarly involves active and passive forms of surveillance. But we must also ensure surveillance regimes respect civil liberties and protect private intellectual property.
How the private sector will organize itself to defend against the cyber threat is also unresolved. Existing technologies can thwart a majority of cyber attacks, but defenses are expensive and burdensome. Although many industries have made a major investment in defensive capabilities, not everyone is able to make that kind of investment on their own. How then do we put in place the appropriate incentives to motivate private investment in cyber defenses?
So in the cyber domain we face enormous foundational challenges. We must not only develop a military doctrine for protecting our networks. We must also decide how our governments will leverage their capabilities to defend our countries, our economies, and our allies.
Our efforts to develop a collective cyber defense, while certainly a daunting challenge, are only the latest chapter in our long history of defense cooperation.
How we will respond to the cyber threat, and to shifting power-dynamics in the Asia-Pacific region, is now up to us.
Our alliance has helped keep the Pacific at peace for more than half a century. We are right now taking the actions that will safeguard our future, and steel us against what threats may come. The next plaque to go up in the Pentagon's ANZU.S. corridor will chronicle the efforts we make to preserve our security.
The Great White Fleet that steamed into Sydney more than a century ago was a magnificent spectacle a visible sign of the power America will deploy to defend our allies.
Developments in cyber defenses won't be greeted with the fireworks that met the fleet. But they are just as important to our future security.