United States Department of Defense United States Department of Defense

Deputy Secretary of Defense Speech

Press Operations Bookmark and Share


Town Hall Meeting with Facebook Employees

As Delivered by Deputy Secretary of Defense William J. Lynn, III, Facebook Headquarters, Palo Alto, California, Wednesday, April 28, 2010

Thanks very much, Ted. 

It's terrific to join you here.  It's really good to get out of Washington.  They don't let me out much. 

One of the purposes of getting outside Washington is to get a much more diverse set of views than you're able to get inside the Beltway.  On Monday we met with some of the troops -- Marines at Camp Pendleton, Sailors at North Island and on the USS CARL VINSON.  Then we went to LA to meet with some of the defense industry and IT industry there.  Now is our chance to be here in Silicon Valley to meet with you and see some of the exciting things you are doing.

You are very much a part of our world.  As Ted indicated, we have a new policy on social media.  I'll talk about that in a minute, and am happy to take questions on that.  We're also very much a part of your world.  We use social media just as other organizations do.  It's a critical element for us in terms of recruiting.  The kind of demographic that we want to recruit into the military are heavy users of social media.  We would be depriving ourselves of the best and the brightest if we didn't use social media.

Social media also helps us keep our families connected while we're on deployments.  We have over 230,000 children who have parents deployed overseas at this point.  Many of them use social media to stay in touch with their families on these long and now frequent deployments.

More generally for the department, social media is a means of communicating policies and news.  We actually used it to communicate the new directive itself.  We didn't do it via traditional media.  We went and used social media when we issued the new directive.  So we are trying to be part of your world, and we think it allows the department to do its job of protecting the nation's security in a more efficient and better and more cost-effective way.

But like just about every information technology tool, the same things that bring advantages breed vulnerabilities.  Social network sites and social media are no exception to that.  The information there can be used to spoof users and attack networks.  It's a vulnerability that has to be addressed.

Now when we came into office, the approach that we thought was being used to address that vulnerability was frankly too ad hoc.  Different services had different approaches.  It also was too static.  It focused largely on blocking sites that people thought had the most potential vulnerability.  It didn't have the agility that you need in the information technology world to have a truly effective defense.

The result was that we were losing the benefits of social media and we were gaining very little in terms of the security of our networks.  So we came up with a new approach, where we are trying to balance the need for security with the benefit of social media.  We've eliminated any of the blocks on social network sites, and that's one of the intents of the new directive. 

At the same time, though, we are trying to balance that with strengthening our defenses.  The approach here is open access with strong defenses.  We had time with some of your leaders here, and I think that's a similar approach that Facebook itself is taking to security.

Let me describe the way DoD approaches defense.  It's on three levels.  The first and most basic one is just ordinary hygiene.  Download the patch.  We keep the antivirus software up to date, make sure users understand how to access the patches, and how to access the various updates as they come.  As we were talking earlier, I think one of the important elements we're learning in the social media is we need our users to have a very good understanding of the privacy protections that are available on sites like Facebook so that they are informed users, and they take steps to protect themselves.  So that’s ordinary hygiene.  In a very rough estimate we think that those kinds of steps probably will address on average half the kinds of attacks that you'll see on networks.

The next step the DoD is taking is perimeter defenses.  These are network intrusion detection systems, other kinds of devices on the routers, and servers that protect the network as a whole.  We try and keep these up to date.  We're constantly changing our technology and we think effective use of those kinds of things probably knocks out another 30 to 40 percent of the challenges we face on the network.

To deal with that last 10 percent, we think we need a very active type of defense.  We need to fuse the nation's intelligence capabilities with cyber-security capabilities.  We're proposing in that light to set up a cyber command as a sub-unified command, part of the Strategic Command, to fuse all of our cyber-security activities: offense, defense, information assurance.  And that way we'll get the more active defenses and that's how we'll deal with the most sophisticated types of intrusions.  Active defense is a critical part of our approach.

At the same time in the security arena, we are recognizing that cyberspace itself is really now another domain of conflict.  It's like land, sea, air, and space.  We have to treat it as a domain.  It's a domain that we have to protect.  It's a critical domain the military has to operate effectively in.  If people are able to attack our networks, they'll deprive the military of many of the benefits of the technological advantages that we have spent so much of the taxpayers' resources to build. 

We also need to partner with industry as we walk down this road of greater cyber-security.  One of the observations I found was telling was from a techie I visited in Australia, who pointed out that we can never keep up with the more populous nations, China and India, over the next couple of decades in terms of trained cyber professionals.  There's just no chance over time that we'll be able to keep training people like you at the same pace they are.  It's just a demographic reality.  They're going to have more.

So we need to partner with industry, partner with people like yourselves.  We need to multiply the effectiveness of our trained cyber-professionals through things like artificial intelligence.  In military terms we need a force multiplier.  Otherwise, we'll never be able to keep up.  So we need to spend time on this coast as well as in Washington, understanding the potentials for technology to give us those kinds of capabilities that will multiply the effectiveness of our trained people.

Another partnership we need to have with industry is in how we acquire technology.  The DoD has a traditional way of acquiring technology.  It’s generally focused on big large buys and large pieces of equipment: airplanes, tanks, ships.  And it's a very ordered process where we decide what the mission is, then identify what the requirements are to meet that mission.  Then we analyze the alternatives to meet those requirements, then we develop a program, and then we budget for that program.  And eight or nine years later we actually have something. 


And it’s not a joke.  That's about how long it takes.

This nation has the best technology any military has ever seen, so it actually works pretty well. Not perfectly, and we’re making some improvements for large pieces of military equipment. It doesn't work very well for software, for apps.  To give you an example, 81 months is about the average it takes for us to develop and buy something.  The iPhone was developed in 24 months.  It would take us 24 months to budget for it. 


I'm not kidding.  To actually prepare a budget, to bring it to Congress, defend it in front of Congress, and then get Congress to approve it would take us about 24 months.  That is not the kind of agility we need in this world.

We need to develop an acquisition system that's going to go at the speed of IT technology.  So Regina Dugan's here, the head of DARPA, and others.  We're trying to develop new approaches for acquisition of things that move at that much faster pace of technology, like software.

At the end of the day the front lines of national security have clearly been redefined.  National and economic security are intertwined in terms of our information technologies, which are both a huge advantage and potential vulnerability.  We have to balance those potential vulnerabilities with those large benefits.  As I said, we need an approach with social media that's both open access and strong defense.  We need to work with people like yourselves to make sure that we're applying this technology in the national security interest, and we're doing it in a smart way.

That's what I wanted to say in terms of prepared remarks.  I would love to have a conversation with you and answer some questions. 


Most Recent Speeches


As Delivered by Secretary of Defense Ash Carter, Charlotte, North Carolina


As Delivered by Secretary of Defense Ash Carter, Washington, D.C.


As Delivered by Secretary of Defense Ash Carter, Washington, D.C.


As Delivered by Deputy Secretary of Defense Bob Work, Washington Convention Center, Washington, DC


As Delivered by Deputy Secretary of Defense Bob Work, RAND Corporation, Arlington, VA


As Delivered by Secretary of Defense Ash Carter, Berlin, Germany


As Delivered by Secretary of Defense Ash Carter, National Museum of the Marine Corps


As Prepared for Delivery by Deputy Secretary of Defense Bob Work, Naval Postgraduate School, Monterey, CA


As Delivered by Secretary of Defense Ash Carter, Washington, D.C.


As Delivered by Secretary of Defense Ash Carter, Pentagon Auditorium

Additional Links

Stay Connected