Defense Dept. Outlines New Infosec ApproachCybersecurity Speech by DoD Deputy Secretary William Lynn
I have been working closely on cyber security this past year. The whole issue is something of a good news/bad news predicament. Which reminds me of a story I know.
It's a story of two gentlemen who started off together in high school playing baseball. They were baseball fanatics. They went on to play baseball together at the same college. And they continued their passion over the years by watching games together every weekend. By the time they got well into their 80s, it became pretty clear that one of them was going to pass on fairly soon. So they made a little pact. Whoever died first would come back to tell the other the answer to their most important question: would there be baseball in heaven?
Soon thereafter, one of them did pass on. While the other was sleeping a few nights later, an apparition appeared. Sure enough, it was his friend.
"Terrific!," one friend said to the other. "You've held to the deal! You're back. Tell me, is there baseball in heaven?"
His friend replied, "Well, there is good news and bad news. What do you want first?"
"Oh, good news, I guess."
So his friend goes on to say, "There is baseball in heaven. It's terrific. It's all outdoor fields and natural grass. You're playing with some of the best players ever: Joe DiMaggio, Ted Williams. It's just what you would have hoped for in heaven."
The friend still on earth asked, "How can there be bad news in that?"
His friend says, "Well, you're pitching tomorrow."
And that's the story with cyber security as well.
Without question, we are the world's leading producer and consumer of information technology. It powers our economy. It enables almost everything our military does. Command and control of our forces, intelligence gathering, logistical support of our troops - cyber gives us significant advantages over any adversary. But cyber also poses a threat. Our very reliance on cyber furnishes an obvious route for adversaries to attack us. Cyber is therefore a source of potential vulnerability. So today I would like to talk about how DoD is addressing cyber security - how we see the environment, what we see as the threats, and what our strategy is to combat those threats.
I will also discuss the importance of U.S. Cyber Command, which we formally established last Friday. Finally, I want to address the importance of partnering closely with industry and the need for the Department to develop a better process for IT acquisition. Let me start with the basics.
DoD's Large Cyber Footprint
DoD has a large IT footprint. We operate more than 15,000 networks within the .mil domain. We have seven million computing devices. 90,000 people are directly involved in the operation of our information technology. We rely not only on our own networks, but also on many commercial and government networks outside the .mil domain. The fact is that our department depends on the overall IT infrastructure of our nation.
The threat to our computer networks is substantial. They are scanned millions of time a day. They are probed thousands of times a day. And we have not always been successful in stopping intrusions. In fact, over the past several years we have experienced damaging penetrations.
Cyber is an especially asymmetric technology. The low cost of computing devices means that our adversaries do not have to build expensive weapons systems to pose a serious threat. They do not need fleets of ships or aircraft to conduct damaging attacks on our society. Knowing this, many militaries are developing offensive cyber capabilities, and more than 100 foreign intelligence organizations are trying to break into U.S. systems. Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.
Cyber is also an attractive weapon to our adversaries because it is hard to identify the origin of an attack and even more difficult to deter one. A keystroke travels twice around the world in 300 milliseconds. But the forensics necessary to identify an attacker may take months. Without establishing the identity of the attacker in near real time, our paradigm of deterrence breaks down. Missiles come with a return address. Cyber attacks, for the most part, do not. For these reasons established models of deterrence do not wholly apply to cyber. We need a deterrent structure that fuses offensive, defensive, and intelligence operations to meet current and future threats.
4 Overlapping Cyber Threats
In our analysis, we see four overlapping cyber threats.
The first is to our military networks themselves. This threat was recognized fairly early, and we have made a concerted effort over the last five years to construct substantial defenses. We are not invulnerable at this point. But the level of protection is higher than you will find on any other IT systems. With the establishment of Cyber Command, we are continuing to increase that protection through the use of more active defenses, which I will discuss in a few moments.
The second threat is to the nation's critical infrastructure. Computer-induced failures of our power grids, transportation system, or financial sector could lead to physical damage and economic disruption on a massive scale. The Clinton administration identified this threat in the late '90s. The Bush administration made it a part of their cyber initiative. But we have not yet arrived at the point at which these networks are as protected as they need to be. I believe there are steps we can take, and I will outline one possible approach later.
The third and in many ways least discussed threat is to our intellectual property. Earlier this year key parts of Google's source code were ex-filtrated in a sophisticated operation that also targeted dozens of other companies. The defense industry has similarly been targeted. Designs for key weapons systems have been stolen. The threat to intellectual property is less dramatic than a cyber attack on our infrastructure. But it may over the long term be the most significant cyber threat our nation faces.
The risk of tampering in our supply chain is the fourth and final threat. Rogue code, including so-called "logic bombs," can be inserted into software as it is being developed, allowing outside actors to manipulate systems from afar. Hardware is also at risk. Remotely operated "kill-switches" and hidden backdoors can be written into the chips and physical buses used in military hardware. The risk of compromise in the manufacturing process is very real, and in many respects is the threat we least understand. Tampering is difficult to detect, and even harder to prevent.
To give you an example of how pervasive the cyber threat is, not even our presidential candidates were spared. In the 2008 campaign, both Barack Obama and John McCain had their computer systems compromised. Emails, travel plans, and policy documents were all compromised. The intrusion was eventually detected and repelled, but not before sensitive information was taken.
For all these reasons, President Obama has appointed Howard Schmidt as his Cyber Coordinator and has called cyber, "one of the most serious economic and national security challenges that we face as a nation."
To respond to the array of cyber threats that confront us, the Pentagon is taking action on several fronts. As a doctrinal matter, the Defense Department has formally recognized cyberspace for what it is - a new domain of warfare. Like land, sea, air, and space, cyberspace is a domain that we must operate effectively within. Cyberspace is the only domain that is manmade and largely privately owned, but it is nevertheless just as critical to our military effectiveness as the others.
3 Lines of Defense
To secure our digital infrastructure, the department has established three lines of defense.
Our first line of cyber defense is ordinary hygiene - keeping systems and software up to date. The Internet is teeming with so many viruses and bonnets that an unprotected computer can be infected within minutes of being placed online. To remain secure, any network that has contact with the Internet must constantly refresh malware signatures and install security patches. With three million users, keeping our computers up to date is a constant challenge, but one that we are starting to meet. Automated systems now ensure firewalls and anti-virus software are properly configured on each of our computers. We estimate that effective hygiene will block about half of attempted intrusions.
Perimeter security forms our next line of defense. To monitor traffic flowing into and out of our networks, we narrowed the number of ports at which our systems accesses the commercial Internet. We also deployed host-based security services and intrusion detection systems on our servers and routers. These sensors are linked to network mapping and visualization software that help identify breaches. We believe perimeter defenses block another 30 to 40 percent of attempted intrusions. Taken together, proper hygiene and perimeter security furnish a level of protection approaching 90 percent. But sophisticated adversaries are able to surmount even these defenses, leaving our networks at risk.
In cyber, offense is dominant. A fortress mentality will not work. We cannot retreat behind a Maginot line of firewalls. In this way cyber is much like maneuver warfare, in which speed and counterattack matter most. If we stand still for a minute, our adversaries will overtake us. Given the dominance of offense, our defenses need to be dynamic. We need to respond to attacks at network speed, as they happen or even before they arrive.
The core of our effort in this regard is at the National Security Agency. The NSA has developed systems that give us the kind of active defenses we need. These active defenses, which use foreign intelligence to help anticipate threats, prevent the last 10 or 20 percent of sophisticated intrusions. Moreover, intrusions will not always be caught at the boundary. Some of them will inevitably evade detection. To find intruders once they are inside, we have to be able to hunt on our own networks.
Cyber is also an area in which the U.S. cannot go it alone. There is a strong logic to collective cyber defenses. Alliances are powerful tools. I have traveled to Australia and the U.K., and will soon be going to Canada. We are seeking to develop a system of shared warning and shared technology. Collective cyber defenses are similar to air and missile defense in that the more attack signatures that you see, the better your defenses will be. The concept of collective defense is a key part of our strategy.
Facing these foundational challenges, we made a decision to establish a military command for cyber operations. Until recently, the military's cyber effort was run by a loose confederation of joint task forces spread too far and too wide, both geographically and institutionally, to be fully effective. Secretary Gates recognized that the scale of the cyber enterprise had outgrown the military's existing structures. Last June, he ordered their consolidation into a single four-star command, U.S. Cyber Command. Cyber Command, a sub-unified command, is a part of the U.S. Strategic Command. Cyber Command will perform three core missions. It will lead the day-to-day defense of .mil networks. It will support military and counterterrorism missions. And under the leadership of the Department of Homeland Security, it will assist civil authorities and industry partners.
We achieved initial operations capability at Cyber Command last Friday. Gen. Keith Alexander, head of the National Security Agency, has been appointed its commander. The key part of Cyber Command is its linking of intelligence, offense, and defense under one roof.
In cyber, the capability to repel attackers is closely tied to the ability to identify threats and anticipate intrusions. You will not be effective in the cyber world if you segregate these three functions. We also need a command to lead the planning, training, and equipping of our forces. In the military, we exercise our capabilities on target ranges and in a variety of simulations. We do not yet have that capability in the cyber world.
So DARPA, which helped build the Internet decades ago, is developed a national cyber training range - in effect a model of the Internet. Once operational, the training range will allow us to test tactics before we field them. A single chain of command runs from the head of Cyber Command to individual units around the world. Service commands, including the Army's Network Enterprise Technology Command, the Navy's 10th Fleet Cyber Command, and the 24th Air Force, will ensure cyber is a regular part of training and equipping the force.
3 Major Challenges Ahead
With Cyber Command, the progress we are now making is significant. But we will not be successful unless we continue to augment our capabilities and our personnel. So today I would like to describe our next steps in cyber. I see three major challenges ahead: strengthening our human capital over the long term, rethinking IT acquisition and providing security for those parts of the commercial Internet DoD depends upon.
Our effectiveness in IT is to a great degree predicated on our ability to train sufficient numbers of qualified personnel. In the last two years, we have increased the number of trained cyber professionals and deepened the level of their training. This includes a formal certification program for information assurance and training our network administrators. But even as we strengthen our cadre of cyber professionals, we must recognize that the long-term trend in human capital is against us.
Over the next 20 years there is little doubt that China or India will train more computer scientists than we will. We will no be able to keep up. Demographics work against us. If our cyber advantage is predicated solely upon amassing trained cyber professionals, we will lose. So we need to confront cyber in the same way we confront other quantitatively dominant competitors. We do not always compete on numbers. We compete on technology and information dominance. The same will be true in cyber. We will need automated systems, sensors, and artificial intelligence to multiply the value of the trained cyber professionals we have.
Beyond human capital, improving the acquisition of information technology is a pressing concern. The department has a traditional way of acquiring technology. It is generally focused on developing airplanes, tanks, and ships. In this very ordered process we decide what the mission is, identify requirements to meet that mission, and analyze alternatives to meet those requirements. Only then do we develop a program and budget for it. Eight or nine years later we actually have something. Now this may seem like a long time, but this nation has the best technology any military has ever seen. So the system actually works pretty well.
To date, our acquisition of IT largely follows this model. On average, it takes the Department 81 months from when an IT program is first funded to when it becomes operational. But if we take into the account the continued growth of computing power, as suggested by Moore's law, this means that systems are being delivered four to five generations behind the state of the art. By comparison, the iPhone was developed in 24 months. That is less time than it would take us to prepare and defend a budget and receive Congressional approval for it. Steve Jobs gets an iPhone. We get a budget. It's not an acceptable trade.
IT Acquisition Task Force
So we have established a new task force to improve our approach to IT acquisition. The Task Force reports directly to me. I have directed it study how we can refashion IT acquisition around four principles. First, heeding Secretary Gates' call to make our department more agile, speed must be our overarching priority. We need to match the acquisition process to the technology development cycle. In IT, this means 12 to 36 months cycles, not seven or eight years.
Second, we must acknowledge that incremental development, testing, and whenever possible, fielding of new capabilities provides better outcomes in IT than trying to deploy large complex systems in one "big bang."
Third, to achieve speedy, incremental improvements, we need to carefully examine how to establish the requirements that govern acquisition. Systems must always be tailored to serve the needs of end users, but departing from standard architectures in IT imposes great costs. To achieve speed, we must be willing to sacrifice or defer some customization. Making use of established standards, and open modular platforms, is of paramount importance.
Fourth, the department's IT needs range from modernizing nuclear command and control systems to updating word processing software on our office computers. We must recognize that different IT applications demand different levels of oversight and enterprise integration. We are working to outline a series of acquisition paths that apply high levels of institutional due diligence where it is needed and strip away excess requirements where it is not.
The problem we are trying to solve is not an easy one. The Defense Department has unique IT needs that limit our ability to replicate the dynamism of private industry. Our systems must work across business, war-fighting, and intelligence applications. We cannot usually go without the functionality of existing systems as they are being updated or replaced. And for us it is not merely about purchasing new technology. The planning, programming, and congressionally-mandated budgeting process must all be in alignment.
Despite these significant obstacles, I believe we can make dramatic improvements in IT acquisition. Our focus is on identifying who is being innovative, how to make better use of existing authorities, and where to try pilot projects. Our intent is to target things we can change now, while laying the foundation for longer term reforms that may require Congress to legislate new authorities.
Finally, the best-laid defenses on military networks will matter little unless our civilian critical infrastructure is also protected. Critical infrastructure will certainly be targeted in a military conflict. The Department of Homeland Security appropriately has the lead to protect the .gov and .com domains. The Defense Department plays an important supporting role in this mission, and has direct responsibility for securing defense industry networks.
Years of concerted investments on the military side have placed critical cyber capabilities within the Defense Department and National Security Agency. We are already using our technical capabilities to support DHS in developing the Einstein 2 and 3 programs to protect government networks.
Protecting Civilian Systems
We need to think imaginatively about how this technology can also help secure a space on the Internet for critical government and commercial applications. For the .com world, could we create a secure architecture for that lets private parties opt-in to the protections afforded by active defenses? In this way protection would be voluntary. Operators of critical infrastructure could opt-in to a government-sponsored security regime. Individual users who do not want to enroll could stay in the "wild wild West" of the unprotected Internet. This type of secure.com approach could build on the collaboration between DoD and the defense industry. It could offer an important gateway to ensure our nation's critical infrastructure is protected from cyber attacks.
As you can see, the front line of national security has been redefined. Although the challenges we face in cyber seem daunting, it is useful to remember that we are at the beginning of a new technological age. So let me leave you with this simple observation.
We just marked the 20th anniversary of the World Wide Web.In comparison, we have just passed the 100th anniversary of military aviation. The Wright Brothers brought their military flyer to the national capital for its first demonstration flight 100 years ago last June. It was the first time the Army Signal Corps had purchased an airplane. We are now 100 years into military aviation, whereas with cyber we only have 20 years of collective experience. Essentially, in the cyber world, it's 1929. We are still in the era of dirigibles and biplanes.
We are at the dawn of a new epoch, with decades of innovations in safety, performance, and reliability to come. We have a lot of work to do to make the cyber domain safe, so its revolutionary innovations can be used without fear of endangering our national and economic security. But with the advent of Cyber Command and the other steps DoD is taking, we are well on our way.