Seal of the Department of Defense U.S. Department of Defense
Office of the Assistant Secretary of Defense (Public Affairs)
On the Web:
Media contact: +1 (703) 697-5131/697-5132
Public contact:
or +1 (703) 571-3343

Speech on Cyber Security at the Center for Strategic and International Studies
As Delivered by Deputy Secretary of Defense William J. Lynn , Center for Strategic and International Studies, Washington, D.C , Monday, June 15, 2009

I come to you today on behalf of an administration that's seeking that same bipartisan problem-solving spirit. We have a president who, in one of his first acts in national security, reached across the aisle and chose the secretary of Defense from his previous -- from the previous administration, a secretary from another party. In Secretary Gates, we have a secretary who, in his long career here in Washington, has worked for eight presidents of both parties.

This bipartisan approach, I believe, is the reason we've been able to use these first few months not merely to tread water, which is the usual criticism of a new administration's early budgets and policy decisions, but really to make some of the hard decisions in the defense budget and try and start pursuing a new direction in defense.

To keep our armed forces the best-trained, the best-equipped, the best-led military in the world, we're increasing the defense budget between fiscal '9 and fiscal '10. To ensure our forces can meet today's missions, especially in Iraq and Afghanistan, we've halted any personnel reductions in the Navy and the Air Force, and we've achieved increases in the Army and the Marine Corps, and we've done that two years ahead of schedule.

To give our warfighters the tools and the technologies they need when they need them, we're making major reforms. We've cancelled unproven weapon systems, we're investing in weapon systems we know that work, and we've launched a series of initiatives to finally bring us true acquisition reform.

And to better prepare our forces for the range of challenges they'll face, the conventional and the unconventional and the hybrid warfare that combines them both, we're making irregular warfare a regular part of America's military planning.

As the president said at the Naval Academy, quote, "We must overcome the full spectrum of threats. This includes the nation-state and the terrorist network, the spread of deadly technologies and the spread of hateful ideologies, 18th century piracy and 21st century cyberthreats."

It's that last challenge that brings me here today, although standing in front of this crowd I'm reminded of the old story of an individual who passed and went up to heaven, and he had been -- had a -- the defining experience in his life had been surviving a flood. Whenever he was asked to speak, that's what he spoke about.

So when he gets to heaven, Saint Peter says, "Well, looking good for your admission, but you're going to have to make a speech to the rest of the team up here." He says, "No problem, I'll talk about my experience in the flood." Saint Peter said, "Well that's fine, but recognize Noah will be in the audience."

I noticed all the arks parked out in front, and I know I've got a lot of Noahs, when it comes to cybersecurity, in this audience. Many of you have been dealing with this issue for years -- in government, in industry, in academia -- so I won't presume to educate this audience.

But I do believe today's an opportunity to deepen our understanding of this issue, because in recent months we've taken new steps to meet the challenge. Starting with Jim Lewis -- and the CSIS Commission on Cybersecurity issued its report last December. I think that's become the touchstone document as people have looked this year at the new challenges of cybersecurity. I want to commend Jim, you and your team, for that terrific effort.

In April, a panel of the National Academy of Sciences issued a draft report on cyberthreats and how we might respond. More recently, the president just completed his 60-day review, coming into office, of the cybersecurity arena. And I want to recognize Melissa Hathaway for leading us through that difficult interagency thicket and bringing out a really solid report that's, I think, going to set the agenda for President Obama's term, on terms of how he deals with cybersecurity and securing America's digital infrastructure.

Each of these efforts offered a broad range of recommendations. But there was one recommendation that they all shared: The need for greater public awareness of the cyberthreat to our country and how we can protect ourselves.

So today I want to speak about what this challenge means for the Department of Defense. And I want to be very clear about this. Even though it risks stating the obvious, I'm the deputy secretary of Defense; I'm here to focus on how the Department of Defense protects and defends the Defense and military computer networks: what we're facing, what we've done so far, what we're doing today, and what we need to think about going forward.

Just like our national dependence, there is simply no exaggerating our military dependence on our information networks. The command and control of our forces, the intelligence and logistics upon which they depend, the weapons technologies we develop and field, they all depend on our computer systems and networks. Indeed, our 21st- century military simply cannot function without them.

Not surprisingly, our networks, some 15,000 of them -- including some 7 million computers, IT devices, laptops, servers -- all make for a tempting target. But this is not an emerging threat. This is not some future threat. This cyberthreat is here today. It is here now. In fact, the cyberthreat to the Department of Defense represents an unprecedented challenge to our national security by virtue of its source, its speed and its scope.

There's the source. The power to disrupt and destroy, once the sole province of nations, now also rests with small groups and individuals, from terrorist groups to organized crime, from hacker activists to teenage hackers, from industrial spies to foreign intelligence services. We know that foreign governments are developing offensive cybercapabilities and that more than 100 foreign intelligence organizations are trying to hack into U.S. networks.

We know, as Director of National Intelligence Dennis Blair has stated, that both Russia and China have the capability to disrupt elements of the nation’s information infrastructure. We know that organized criminal groups and individual hackers are building global networks of compromised computers, botnets and zombies, and then selling or renting them to the highest bidder, in essence becoming 21st-century cybermercenaries.

We know that terrorist groups are active on thousands of websites and that al Qaeda and other terrorist groups have expressed their desire to unleash coordinated cyberattacks on the United States.

Next, there's the speed of the threat. As I believe John Hamre noted when he was deputy secretary, in the 18th and 19th century we faced a threat where ships crossed the ocean in days. In World War II, aircraft could cross the ocean in hours. In the Cold War, missiles could do it in minutes. And now today, cyberattacks can strike in milliseconds.

Such speed has profound implications for how we protect the department's networks. If attacked in milliseconds, we can't take days to organize and coordinate our defenses. If our networks to be -- were to be disrupted or damaged, we'd need to respond rapidly, at network speed, before the networks could become compromised and ongoing operations or the lives of our military are threatened. In short, we have to be just as fast or faster than those who would do us harm.

Finally, there's the scope of the threat. Instead of simply keeping adversaries out of our homeland, we have to prevent large- scale cyberattacks inside the homeland, inside the networks. Consider the main targets, which loosely mirror the three domains dot-mil, dot- gov and dot-com.

First, dot-mil. We face attacks, as I've said, on military and defense networks, perhaps with the intent to disrupt military operations. As Secretary Gates has said publicly, our defense networks are constantly under attack. They are probed thousands of times a day. They are scanned millions of times a day. And the frequency and sophistication of attacks are increasing exponentially.

As the president acknowledged last month, we experienced one of the most significant attacks on our military networks last year. Several thousand computers were infected by malicious software, forcing our troops and defense personnel to give up their external memory devices and thumb drives, changing the way they use computers every day.

Fortunately, cyberattacks on our military networks have not cost any lives -- not yet. But they are costing an increasing amount of money. In a recent six-month period alone last year, the Defense Department spent more than a hundred million dollars defending its networks. Guided by last year's comprehensive national cybersecurity initiative, the department is spending billions annually in a proactive effort to protect and defend our networks.
Second, dot-gov. Here we face attacks on civilian government networks, perhaps to slow our response in a crisis. We see the risk every day, with federal networks being breached thousands of times. We have seen the networks of foreign governments, such as Estonia and Kyrgyzstan, crippled by denial-of-service attacks. And during last year's Russian invasion of Georgia, we saw cyberattacks shut down Georgia's government and commercial websites. A military attack on -- alongside cyberattack—the very definition of hybrid warfare.

Third, and most broadly, dot-com. These include attacks on our privately owned critical infrastructure, transportation, telecommunications, power and financial grids on which our national security and the economy depend. Already, cyberattacks have taken down power grids in other country (sic), knocking the lights out in multiple cities.

Likewise, attacks are on the rise against our defense contractors, who face cyberespionage from foreign governments, competitors and criminals. Indeed, major aerospace weapons platforms have experienced intrusions that have compromised unclassified but sensitive technical information.

For all these reasons, the president last month called the cyberthreat, quote, "one of the most serious and -- one of the most serious economic and national-security challenges we face as a nation."

So what are we doing, to confront this challenge, at the Department of Defense? The American people and our men in uniform should know -- men and women in uniform should know this.

Starting in large part with John Hamre's efforts, in the late- 1990s, the department has built strong, layered and robust cyberdefenses. The department has formally recognized cyberspace for what it is: a domain similar to land, sea, air and space; a domain that we depend upon and need to protect.

Just as we need freedom of navigation of the seas, we need freedom of movement online. Just as we protect the front gate at military bases, we must protect the back doors, the systems and networks that our adversaries seek to exploit.

This is not some expansion or extension of our mission at the Department of Defense. On the contrary, it is keeping with our defined and historic mission, to protect and defend our national security and to protect the lives of our men and women in uniform.

So the Department of Defense will defend its computer networks. We will protect this domain. Just as the president has called protecting the nation's networks a national security priority, protecting our defense networks is a defense priority.

To this end, the Office of the Secretary of Defense, our undersecretaries of Policy, Intelligence and the chief information officer provide the civilian oversight of our cybersecurity policy.

The national military strategy for cyberspace operation, developed by the chairman of the Joint Chiefs of Staff, lays out our strategy or ensuring our cybersecurity. And the military services, each have organized themselves accordingly.

The Army has created the Network Enterprise Technology Command in Arizona. The Navy has created the Naval Network Warfare Command in Norfolk. And soon the 24th Air Force, based most likely at Lackland Air Force Base in Texas, is being stood up.

And day-to-day responsibility for operating and defending our defense networks rests with the U.S. Strategic Command, STRATCOM. In this mission, STRATCOM receives critical support from the National Security Agency and from the Defense Information Systems Agency, two organizations that have long been responsible for building, operating and protecting the department's information systems.

And to insure the sensitive defense information, on the unclassified networks of our industry partners, we're proceeding with our Defense Industrial Base initiative, the DIB. We're working more closely than ever before with our defense contractors, sharing critical information on the latest cyberthreats and vulnerabilities, reporting incidents quicker and moving faster to respond and recover from attacks, as we did with the recent Conficker worm.

Together these efforts are why the CSIS report found that along with the intelligence community, the Defense Department is the best- prepared agency, when it comes to cyberdefenses. That said, we need to do better. In his remarks last month, the president warned that as a government and as a country, we are not as prepared as we should be.

The same is true of the Department of Defense. That is why cybersecurity is a central focus of the ongoing Quadrennial Defense Review. And that is why we need a doctrine to govern how we protect cyberspace, as a domain, how our forces are designed and trained to protect our networks.

The QDR will assess our current capabilities against this requirement and make recommendations for the future. But before even completing the QDR, we're pursuing a number of initiatives. These fall into three areas: culture, capabilities and command.

First, building a culture that makes cybersecurity a priority. We need a cadre of cyberexperts, who are trained and equipped with the latest technologies, to protect and defend our systems.

Yet today, our military schools only graduate about 80 of these experts per year.

So our budget for fiscal year 2010 includes funding to more than triple the number of experts we graduate, to 250 per year.

More broadly, in the department there are an estimated 90,000 personnel engaged in administering, monitoring and defending our 15,000 networks, but most are not formally certified in information assurance and cybersecurity. So we're proceeding with a training and certification program to build a truly world-class cyberforce [sic – cyber workforce].

And across the entire department, we're improving cybersecurity training, awareness and accountability for the more than 3 million military and civilian personnel who log onto military networks every day because, as General Kevin Chilton of STRATCOM has said, every network computer is on the front line, everyone who logs on is a cyberdefender first.

Second, we're improving our capabilities. Before we ever deploy our weapons systems into the field, we have subjected them to extensive tests and evaluations. Before we ever send our troops into battle, we test their skills and tactics on training ranges. Yet, we have no such equivalent in cybersecurity. So DARPA, which helped invent the Internet decades ago, is leading our effort to build a national cyber range -- in effect, a model of the Internet. This will allow us to engage in real-world simulations and develop tests and field new leap-ahead capabilities for cybersecurity.

As we build these capabilities, I would suggest that we must resist the temptation and the false comfort of trying to retreat behind a fortress of firewalls. Today's cyberthreats are organic and are constantly evolving. Our cyberdefenses must do the same. We can't afford a digital version of the Maginot Line, that static French defense of World War II that the French assumed would work -- excuse me, static French defense of World War I that the French assumed would work in World War II. Instead, we need to remember the lessons of maneuver warfare, from the Second World War to Operation Iraqi Freedom, where new tactics and technologies allowed nimble and agile forces to out-maneuver their adversary.

The third area in which we're taking action is command. Despite our progress at the department, we need to even better -- we need to be even better at detecting and defending against cyberattacks. We need to do it faster, at network speed. We need more people assigned and trained for this mission, and we need to end the jousting and jockeying within the department for personnel, for resources, for authority, that has often prevented a more coordinated and effective response to the cyberthreat.

As you have no doubt heard, we are considering the creation of a new command, a subordinate unified command under STRATCOM to lead, integrate and better coordinate the day-to-day defense and protection of our defense networks. As of today, Secretary Gates has not made the final decision on this command, but what I can tell you is this. Such a command would not represent the militarization of cyberspace. It would in no way be about the Defense Department trying to take over the government's cybersecurity efforts. On the contrary, such a command would not be responsible for the security of civilian computer networks outside the Defense Department.

Its mission would be to protect and defend our defense and military networks: "" Responsibility for protecting federal civilian networks would remain with the Department of Homeland Security. Likewise, responsibility for protecting private-sector networks would remain with the private sector.

Like other commands, a new command would be responsive to congressional oversight, would operate within all applicable laws, executive orders and regulations. What the president said last month of cybersecurity efforts across the government applies equally to our efforts at the Department of Defense. We can and we will protect our national security and uphold our civil liberties.

At the same time, we're mindful of the challenges ahead. We've marked the hundredth anniversary of military aviation but, by comparison, this year marks only the 20th anniversary of the World Wide Web. And as I've described, in many ways, as a country, as a government, we're still in the early stages of getting organized.

Indeed, how we ensure our cybersecurity in the decades ahead will depend on how we answer key questions.

For example, within the Department of Defense, what are the rules of the road? As the CSIS report noted, there are a whole host of questions that we face. How can we deter and prevent attacks? Deterrence is predicated on the assumption that you know the identity of your adversary, but that is rarely the case in cyberspace where it is so easy for an attacker to hide their identity.

Beyond the military, how do we organize government as a whole? The president will name a cybersecurity coordinator at the White House to coordinate efforts across the government. And as I've said, the Department of Homeland Security will remain the lead for protecting federal civilian networks. And yet, given the imperative of defending government networks, it would be inefficient -- indeed, irresponsible -- to not somehow leverage the unrivaled technical expertise and talent that resides at the National Security Agency, which has so much experience protecting our national security systems. What we must do, of course, is to apply that expertise in a way that upholds and respects our civil liberties.

Beyond our own government, how do we cooperate internationally? Many of the cyberattacks on U.S. networks originate overseas. Botnet attacks involve computers all over the world. How we protect and defend ourselves in the global -- in this global environment raises complex questions of national sovereignty and international law, and no single government would be able to confront these complexities alone.

Finally, beyond government, how do we partner with industry? Neither government nor the private sector can solve our cybersecurity challenges alone. Government needs industry, which owns and operates most of the nation's information infrastructure. The private sector needs government -- the government to establish coherent, effective and transparent laws and regulations. Yet, the difficulties of forging genuine public-private partnerships in this area are well known. Fundamentally, it comes down to trust: industry needs to trust government to protect its proprietary information; government needs to trust industry to protect its classified information on threats and vulnerabilities. Meanwhile, more adversaries are targeting our systems, more networks are being breached and more information is being compromised.

The Defense Industrial Base initiative I mentioned is one model of a new approach where government and industry come together to share information and strengthen our cyberdefenses. There are other models. And I would say to all of you here today -- from industry, from academia -- we need you to help us find the right model so that we can forge real partnerships of trust and cooperation that protect our security and our prosperity, because that in the end will be the only way that we'll meet the challenge, with partnerships of trust; the best minds in government and industry and academia here in the U.S. and around the world, working together.

That, as General Keith Alexander of the NSA has noted, was how the Allies broke Germans' Enigma encryption during World War II. That, as John Hamre knows from personal experience, was how we avoided the potential catastrophe posed by Y2K. And that is the spirit that we're committed to at the Department of Defense.

Working together, we can bring real cybersecurity to cyberspace. We can and we will protect our national security and our civil liberties, without compromising either.

Thank you very much for your attention.