Cyber security

U.S. Department of Defense Office of the Assistant Secretary of Defense (Public Affairs)

Speech
On the Web:
http://www.defense.gov/Speeches/Speech.aspx?SpeechID=1509

Public contact:
http://www.defense.gov/landing/comment.aspx

Media contact: +1 (703) 697-5131/697-5132

or +1 (703) 428-0711 +1

Remarks on Cyber at the Council on Foreign Relations As Delivered by Deputy Secretary ofDefense William J. Lynn, III, Council on Foreign Relations, New York City, Thursday, September 30, 2010

Thank you Nicholas. I appreciate the kind introduction. It is a pleasure to be here at the Council on Foreign Relations. I have been working closely on cyber security this past year. I am here in New York to share the Defense Department’s perspective on this new and troubling threat. Withoutquestion, the United States is the world's leading producers and consumers of information technology. It powers our economies. It enables almost everything our militaries do. But cyber also poses a threat. Our very reliance on cyber furnishes an obvious route for adversaries to attack us. Cyber is therefore a source of potential vulnerability. Today I would like to share how the Department ofDefense is addressing cyber security. The Department of Defense operates more than 15,000 networks. We have seven million computing devices. 90,000 people are directly involved in the operation of our information technology. We rely not only on our own networks, but also on many commercial and government networks outside the .mil domain. The fact is that our department depends on the overall ITinfrastructure of our nation. The threat to these networks is substantial. They are scanned millions of time a day. They are probed thousands of times a day. And we have not always been successful in stopping intrusions. In fact, we have experienced damaging penetrations. As disclosed in a Foreign Affairs article I published this month, the Pentagon suffered the worst Cyber attack in its history in2008. It began when an infected thumb drive was inserted into a military laptop in the Middle East. Malicious computer code placed by a foreign intelligence agency uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead that could remove data to servers under foreigncontrol. It was any network administrator’s worst fear: a rogue program operating silently on your system, poised to deliver operational plans into the hands of an unknown adversary. The cyber threat is here now, and the U.S. needs to confront it. The Pentagon’s strategy concentrates on a few central attributes of cyber. First, cyber is an especially asymmetric technology. The low cost of computingdevices means that our adversaries do not have to build expensive weapons, like stealth fighters and aircraft carriers, to pose a significant threat to our military capabilities. A dozen determined programmers, if they find a vulnerability to exploit, could pose a serious threat. Knowing this, many militaries are developing offensive cyber capabilities, and more than 100 foreign intelligenceorganizations are trying to break into U.S. systems. Cyber is also attractive to our adversaries because it is hard to identify the origin of an attack. A keystroke travels twice around the world in 300 milliseconds. But the forensics necessary to identify an attacker may take months. Without establishing the identity of the attacker in near real time, our paradigm of deterrence breaks down. Missiles comewith a

return address. Cyber attacks, for the most part, do not. For these reasons established models of deterrence do not wholly apply. Even if the attached is identified, they may be a terrorist group with no assets to strike back at. Deterrence in these circumstances will of necessity be based more on concepts of denial of benefit than imposing cost through retaliation. The challenge is...