By Jim Garamone
American Forces Press Service
“Any major future conflict will almost certainly include elements of cyberwarfare,” he said. “And the threat posed by cyberwarfare extends far beyond military operations – it extends to the very heart of our economy.”
The department was always aware of the threats posed by hackers, nation states or terror groups in the cyberworld, but DOD experienced a wake-up call in 2008 when an intrusion into military networks extended to the classified realm.
“Up to that point, we did not think our classified networks could be penetrated,”
The compromise, he said, occurred when someone in the
Middle East used a thumb drive to transfer data from the unclassified network to the classified network. The department launched Operation Buckshot Yankee to repair the breach and spent a lot of time, energy and money to remedy the situation. The attack led to a new approach to cyber security in the Pentagon, Lynn said.
“Some of the most sophisticated defense softwares that are commercially available now have between 5 million and 10 million lines of code,” he said. “They are massive, work intensive, difficult products to develop.”
However, “the average malware has stayed constant over the last decade at 170 lines of code,”
said. This mismatch between cyber offense and defense is substantial, he said, and will be a fact of life for the immediate future. Lynn
A second attribute of the cyberthreat is the difficulty of finding out who launched the attack,
said, noting a keystroke can fly around the world in seconds. Lynn
“The forensics of identifying an attacker can take weeks, months -- or even years -- if you can do it at all,” the deputy secretary said.
said, breaks down conventional deterrence strategy that was employed during the Cold War. “If you don’t know who to attribute an attack to, you can’t retaliate against that attack, so you can’t deter through the threat of punishment,” he said. Lynn
A third attribute,
said, is that cyberwarfare is offense-dominant. The Internet, he said, was not developed with security in mind. Instead, he added, the Internet is open, transparent and encourages ease of technical innovation. Lynn
“Structurally, you will find the defender is always lagging behind the attacker in terms of developing measures and countermeasures,”
said. “Adept programmers will always be able to find vulnerabilities and challenge security measures.” Lynn
Given the nature of the cyperthreat,
said, DOD cannot adopt a bunker-type, defensive mentality -- hunkered down behind a seemingly impenetrable wall, but in reality exposed to dangers. Lynn
“We need to be more innovative and active,”
The bottom line, he said, is that cyber is a new domain of warfare, like land, sea, air and space. The new domain needs policies, doctrine, planning, resources and strategy like the other domains,
said, noting this is one reason why the department stood up U.S. Cyber Command in May. Lynn
Cyberdefenses need to be active,
said. While computer hygiene and perimeter defenses will catch and stop about 80 percent of cyberthreats, he said, the final 20 percent need active defenses. So, DOD needs tools that search and hunt down cyberthreats inside networks, he added. Lynn
Cyberdefense also is a shared activity,
said, with the more attack signatures identified, the better the protection. Shared warning among allies –- a basis of Cold War strategy –- is just as important today, he said, noting the Lynn is sharing information with the United States , United Kingdom and Australia . Canada
is now looking to NATO to expand that cyberdefense umbrella, the deputy secretary said, noting there will likely be a strong statement on cybersecurity during the November NATO summit in United States . Lisbon, Portugal
“We need to continue to leverage [the]
technological base to retain the cyber advantage,” U.S. said. Lynn also needs to use technical innovation to change the terms of the offense-defense equation, he added. America
“Over time, we can develop techniques that will even out offense and defense to a greater degree than we see now,”
The Defense Advanced Research Projects Agency and other DOD organizations, he said, are looking at this offense-defense balance and ways it may be made more equal.