Deputy Defense Secretary William J. Lynn III returned Feb. 15 from a two-day cybersecurity-focused trip here that included a keynote speech and meetings with industry leaders.
Throughout his visit, Mr. Lynn focused on communicating with information technology professionals, whom he terms critical to national efforts to protect key defense and economic networks.
The long-term objective for cybersecurity, Mr. Lynn noted, is to impose “more costs” on cyber attackers without depriving the Internet of its dynamism.
“Across the board, we heard from all of these companies that this is possible,” he said. “It’s not fast. It’s not like we can put a patch out. This is a more fundamental re-engineering, but I think it is possible without huge disruption.”
During a speech at the RSA Conference 2011 and in meetings with executives from small tech start-up companies and information technology giants such as Intel, Google and Microsoft, the deputy secretary stressed a few key themes:
- Threats to the cyber domain are varied and will increase;
- Action now can maintain the nation’s military and economic edge in that domain; and
- A combined whole-of-government and industry effort is necessary in the cybersecurity effort.
“The (cyber) threat is still maturing,” Mr. Lynn told reporters at the conference, which brought together thousands of security, cryptanalyst and information technology professionals. Though the threat currently is limited mostly to exploitation and disruption efforts, he said during his speech, the capability for destructive attacks exists. He added that on the exploitation front, more than 100 foreign intelligence services have launched attempts to infiltrate Defense Department networks.
Disruption or denial-of-service attacks are a more elevated cyber threat, he said. Mr. Lynn cited such attacks in Estonia in 2007 and the former Soviet republic of Georgia in 2008, and, more recently, a hacker group’s targeting of eBay and PayPal as prime examples of such attacks.
Destructive attacks, using cyber tools to cause physical damage, are emerging only now as a threat, the deputy secretary said.
“The threat we see today is probably not the threat we’re going to see tomorrow,” Mr. Lynn said. “We need to get ahead of that game.”
The cyber threat is likely to increase in two directions, he said: up the ladder of escalation from exploitation to destruction, and from nation-states to nonstate actors.
“We’re at this transition point now, which actually gives us a little time where the most destructive capabilities are not in the hands of the people who would be most likely to use them,” he said.
That additional time offers a chance to strengthen the cyber domain against developing threats, he added.
Mr. Lynn emphasized the need for urgency in developing a strategy and getting cyberdefense capabilities in place. The deputy secretary also reiterated another key point from his speech: cyberdefense cannot be likened to traditional military missions, such as air defense.
Cyber and much of the critical infrastructure it touches — such as power grids and transportation networks — is largely in the private sector, he noted.
“We need this public-private partnership, and we need a partnership across the whole of government,” he said.
Mr. Lynn pointed out that the Defense Department plays a supporting role within U.S. borders.
“DOD has capabilities, but in terms of protecting critical infrastructure, the lead agency there is the Department of Homeland Security,” he said. “We work through them, just as we do on hurricane relief.”
Mr. Lynn said his meetings here this week with information technology pioneers offered an opportunity to seek industry’s views on “changing the balance” in an IT infrastructure that now favors attackers.
Altering the Internet’s offense-defense balance will take a number of years, the deputy secretary said, but he added that he is encouraged that industry leaders told him software and hardware technologies are available that can help in achieving that objective.
“In the interim, we’re pursuing robust defenses,” he said.
Mr. Lynn, who has made cybersecurity a priority in his interactions with other militaries, NATO partners and private industry, received the 2011 RSA Conference award for excellence in public policy.