Lynn Details Threats to U.S., NATO Cybersecurity
By Jim Garamone
American Forces Press Service
BRUSSELS, Belgium, Sep. 15, 2010 If it’s not protected, the great technological superiority the United States and NATO enjoy also could be a great vulnerability, Deputy Defense Secretary William J. Lynn III said here today.
Speaking at an event sponsored by the Security and Defense Agenda, Lynn said information technology is the basis for much of the military capabilities fielded by the United States and other NATO countries, and that all nations need to invest in cybersecurity.
“[Information systems] provide the kind of real-time situational awareness, the sophisticated command and control, the precision targeting – all the elements that have made it very difficult for any adversary or set of adversaries to challenge us directly in any military confrontation,” he said.
But that strength and reliance also can prove to be a liability, he said. Adversaries can challenge the NATO countries indirectly by compromising information technology. This was brought home in 2008, when a foreign intelligence agency got an infected flash drive into a classified Defense Department computer network in the Middle East. “Malware was loaded on our classified network, and … our systems were compromised,” Lynn said.
The response was called Operation Buckshot Yankee, and it entailed remedial efforts to clean up the spillage, Lynn said. The incident and the subsequent operation led to a change in thinking in the department toward the cybersecurity threat, he added.
Officials realized that cyber attacks or cyber espionage will be increasingly a preferred way for enemies to confront the American military, the deputy secretary said.
“It’s relatively low-cost,” said he explained. “You don’t have to invest in fleets of … tanks, planes [or] ships to have a very significant capability to challenge even a sophisticated adversary.”
More than 100 foreign intelligence agencies are trying to hack into Defense Department systems on a daily basis, he said.
Cyber attacks are attractive because of the difficulty of determining who actually launched them, Lynn said. A virus or malware travels at the speed of light, and pinpointing exactly who launched an attack can take months to decipher, if it’s possible at all, he added.
This type of attack also breaks down the strategy of deterrence to an extent, the deputy secretary said. The old idea was that if an adversary launched an attack, the United States would launch a devastating attack in return.
“Where you have difficulties with attribution, it’s hard to guarantee assured retaliation, because you don’t know who to retaliate against,” he explained. “Also, as the set of adversaries we face has shifted to more non-governments – terrorists such as al-Qaida – even if you determine the origin of the attack, they might not have assets that you can truly hold at risk.”
This means the Defense Department has to shift from retaliation to denying an enemy benefit from an attack by beefing up Cybersecurity, Lynn said. Still, he added, this is difficult, because attackers have the advantage.
The Internet is open by its nature, the deputy secretary said, as Defense Advanced Research Projects Agency scientists designed it to facilitate the free and fast flow of information.
“It was not designed with security in mind,” he said. “As defenders, we have to defend every portal. As attackers, a single failure can gain entrance to the networks and allow them to compromise those networks.”
This calls for a different approach to cybersecurity, because no country can hide its networks behind a cyber Maginot Line of firewalls and intrusion devices, the deputy secretary said. “We need a strategy that can deny the benefit to the attackers despite the numerous advantages that the attackers have,” Lynn said.
All of this is further complicated by the fact that attacks are not limited to the Internet.
“You have to look at the supply chain,” Lynn said. Counterfeit chips and malicious code are threats, and they can be extremely difficult to find and fix, he explained.
Lynn said any cybersecurity strategy really has to include nonmilitary systems as well as military systems. The infrastructure networks – the power grid, the transportation networks, the financial networks – are critical in their own right to national security, he said.
The deputy secretary argued for a flexible and fast cybersecurity system.
“I think you have to be modest about your ability to predict about where the threat is going to come from,” he said. “The theory is helpful, but not very predictive.”
He said there have been many conjectures, but no one has been particularly good about pinpointing the adversary or what form an attack will take, even in conventional warfare.
“When you look at a strategy, you have to adopt one that is flexible and adaptable in its own right,” he said, “because of the difficulty in predicting the threat and where this threat will appear.”