Thank you Roger.
It is a pleasure to be here in Europe, and have so many of our closest allies and defense partners here with us today.
I would like to acknowledge Gerard Longuet and Peter Luff, and all of the other speakers who will join us.
This gathering of leading defense thinkers is itself an important affirmation of the strong ties our nations share. I would like to thank Roger, Admiral Laborde, and the French Ministry of Defense for hosting us.
Our conversation on the global security environment is a timely one. We meet as an unprecedented coalition effort over Libya is underway, and as the mission in Afghanistan is entering a pivotal new phase. We also meet during a period of fiscal austerity that is affecting defense budgets worldwide. These topics and others will make this year’s gathering a particularly relevant meeting place for national security policymakers.
Even as we discuss and debate the security challenges that dominate the present, we must also look ahead, to emerging threats and the dynamics that are likely to shape the future strategic environment. One of the most consequential aspects of our present and future security environment is the threat posed by computer network attacks. Today, I would like to address this development and its implications for international security.
Information technologies have revolutionized how our militaries organize, train, and equip. They are at the core of our most important military capabilities—communications, command and control, navigation, and intelligence, surveillance and reconnaissance.
But for all the military capability that information technology enables, it also introduces vulnerabilities. We learned this lesson in 2008 when a foreign intelligence agency used a thumb drive to penetrate our classified computer systems—something we thought was impossible. It was our worst fear: a rogue program operating silently on our system, poised to deliver operational plans into the hands of an enemy.
The cyber threat continues to grow, posing new dangers to our security that far exceed the 2008 breach of our classified systems.
To date, the most prevalent cyber threat has been exploitation of our networks. By that, I mean the theft of data from both government and commercial networks. On the government side, foreign intelligence services have ex-filtrated military plans and weapons systems designs. Commercially, valuable source code and intellectual property has likewise been stolen from business and universities.
The recent intrusions at the International Monetary Fund, the U.S. defense contractor Lockheed Martin, and at Citibank join those that occurred in the oil and gas sector, at NASDAQ, and at Google as further, troubling instances of a widespread and serious phenomenon. Even some companies employing sophisticated commercial defenses have fallen victim to intrusions that have compromised services and stolen intellectual property.
Many of those in this room have first-hand experience with the cyber threat. The French Finance Ministry and European Commission are two institutions here on the continent to have suffered major intrusions in recent months.
This kind of cyber exploitation does not have the dramatic impact of a conventional military attack. But over the long term it has a corrosive effect that in some ways is more damaging. It blunts our edge in military technology and saps our competitiveness in the global economy.
More recently, a second cyber threat has emerged—and that is disruption of our networks. In this type of attack intruders seek to deny or degrade the use of important government or commercial network. The denial of service attacks against Estonia in 2007 and against Georgia in 2008 are examples of this kind of threat. Along similar lines, the hacker group Anonymous targeted eBay and Paypal.
To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, largely reversible, and short in duration. But in the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.
The third and most dangerous cyber threat is destruction, where cyber tools are used to cause physical damage. This development—which would mark a strategic shift in the cyber threat—is only just emerging. But when you look at what tools are available, it is clear that this capability exists. It is possible to imagine attacks on military networks or on critical infrastructure—like the transportation system and energy sector—that cause severe economic damage, physical destruction, or even loss of life.
Of course, it is possible that destructive cyber attacks will never be launched. Regrettably, however, few weapons in the history of warfare, once created, have gone unused. For this reason, we must have the capability to defend against the full range of cyber threats.
In short, the cyber threat is moving up a ladder of escalation, from exploitation, to disruption, and ultimately, to destruction. As this threat continues to escalate, the groups that possess these capabilities are also likely to expand in dangerous directions.
Today, the highest levels of cyber capabilities resides almost entirely in sophisticated nation-states. Thus far, nation-states have primarily deployed their capabilities to exploit and occasionally disrupt networks, rather than to destroy them. Many foreign intelligence agencies have attempted intrusions on U.S. networks, but these intrusions are largely limited to exploitation. Although we cannot dismiss the threat of a rogue state lashing out, most nations have no more interest in conducting a destructive cyber attack against us than they do a conventional military attack. The risk for them is too great. Our military power provides a strong deterrent.
So even though nation-states are the most capable actors, they are not the most likely to initiate a catastrophic attack, at least in current circumstances. We nevertheless must prepare for the likelihood that cyber attacks will be part of any future conventional conflict. We need cyber capabilities that will allow us to deter and to defend against the most skilled nation-state.
But perhaps the greater and more immediate concern is the threat of a terrorist group gaining disruptive or destructive cyber capabilities. Al Qaeda, which has vowed to unleash cyber attacks, has not yet done so. But it is possible for a terrorist group to develop cyber attack tools on their own or to buy them on the black market. The nature of cyber is that a couple dozen talented programmers, using off the shelf equipment, can inflict a lot of damage. Moreover, with few tangible assets to lose in a confrontation, terrorists groups are very difficult to deter. We have to assume that in cyber as in other areas, if terrorists have the means to strike, they will do so.
So we stand at an important crossroads in the development of cyber threats. More destructive tools are being developed, but have not yet been used. And the most malicious actors have not yet acquired the most harmful capabilities. This situation will not hold forever. Terrorist organizations or rogue states could obtain and use destructive cyber capabilities. We need to develop stronger defenses before this occurs. We have a window of opportunity—of uncertain length—in which to protect our networks against more perilous threats.
To ensure we can prevail against the spectrum of threats that cyber poses, we should pursue three avenues of action.
First, we must raise the level of protection in government and military networks. We must ready our defense institution to confront cyber threats, because it is clear that any future conflict will have a cyber dimension. Future adversaries will seek to use our reliance on information technology against us. We must be prepared to defend our networks effectively.
Accordingly, the U.S. Defense Department is moving aggressively to counter the cyber threat. As a doctrinal matter, we must be able to defend and operate freely in cyberspace. Over the past two years, we have deployed specialized active defenses to protect military networks and we have established the U.S. Cyber Command to operate and defend them. And we are developing a comprehensive cyber strategy that will guide how each military service trains, equips, and commands its forces for the cyber mission.
As we prepare our own forces to face the cyber challenge, we must pursue a second avenue of action—working with our allies and partners on collective cyber defenses. We must strengthen our collective ability to monitor and respond to intrusions.
In cyberspace, the more attack signatures you can see, and the more intrusions you can trace, the better your defense will be. In this way the Cold War construct of shared warning has applications to cyberspace today. Just as our air and space defenses are linked with those of our allies to provide warning of airborne and missile attacks, so too can we cooperatively monitor our computer networks for cyber intrusions.
In the past year the Department of Defense has worked with NATO nations and other partners to strengthen our cyber engagements. Last month, the Obama Administration released the U.S. International Strategy for Cyberspace. White House Cyber Security Coordinator Howard Schmidt will speak tomorrow about what this new strategy means for our friends and allies, and how it will help foster a more free, reliable, and secure global internet.
For the Department of Defense, the international strategy provides a framework for our contribution to an effort that has many facets, from internet freedom and e-commerce to cybercrime law enforcement and international norms of behavior. Ultimately, this strategy will help us build a coalition of nations whose mutual interest in securing cyberspace will ensure the benefits we derive from it flow uninterrupted.
A consensus for action on cyber security is emerging in Europe. NATO is unanimous in acknowledging the need to elevate its treatment of network security. The new strategic concept names cyber security as a leading priority for NATO in the 21st Century. The alliance made a high level commitment to cyber security at the Lisbon summit last. As a result, upgrades are underway to enable NATO to better defend its networks. The commitment to take NATO’s Cyber Incident Response Center to full operating capability by 2012 is a significant step in the right direction. And at last week’s ministerial, NATO ministers approved final cyber policy guidance.
The European Union is also moving rapidly to address cyber security. Through the U.S.-E.U. cyber dialogue, Secretary of Homeland Security Janet Napolitano has met with the E.U. Home Affairs Commissioner. I have conferred with the E.U. High Representative. And a joint cyber exercise slated for later this year will help established how our computer incident response centers can work in partnership with the EU’s new cyber security unit.
The third avenue of action is to form public-private partnerships with the operators of critical infrastructure. We need to work with industry to raise the level of network defenses in industrial sectors that are crucial to our economy and to the functioning of our militaries. This is in many ways the most consequential to the security of our societies.
The threats we face in cyberspace target much more than military systems. Cyber intruders have already probed many U.S. government networks, our electrical grid, and our financial system. The failure of any one of these could cause massive physical damage and economic disruption.
This is noteworthy because protecting our nation’s critical infrastructure is not only essential to the functioning of daily life. It is also crucial to national security.
In the U.S., as in Europe, our military bases and installations are part of—and not separate from—the civilian infrastructure that supports our towns and cities. Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources. Ninety percent of U.S. military voice and internet communications travel over the same private networks that service homes and offices. We also rely on the nation’s transportation system to move military freight, we rely on commercial refineries to provide fuel, and we rely on the financial industry to pay our bills.
Disruptions to any one of these sectors would significantly impact defense operations. A cyber attack against more than one could be devastating.
In short, secure military networks will matter little if the power grid goes down or the rest of government stops functioning. Protecting the networks that undergird critical infrastructure must be part of our national security and homeland defense missions.
Making this part of our mission will require a strong partnership with agencies who have jurisdiction over systems critical to military effectiveness. In the United States, the Department of Homeland Security has responsibility for protecting the .gov domain and for leading government efforts to protect critical infrastructure in the .com domain.
In the past year, we have signed a memorandum of agreement with the Department of Homeland Security that codifies our commitment to seamlessly coordinating cyber security efforts. Wehave established a joint planning capability and exchange of personnel in our cyber watch centers. And we are helping Homeland Security deploy advanced defensive technologies on our government networks.
The critical infrastructure upon which our defense establishment depends also extends to the private companies that produce military equipment and weapons. Our defense industrial base is critical to our military effectiveness. Their networks hold valuable information about our weapons systems and their capabilities. The theft of design data and engineering information from within these networks greatly undermines the technological edge we hold over potential adversaries.
Current countermeasures have slowed but not stopped the continued exploitation of U.S. defense industry networks. We need to do more to guard these vital storehouses of design innovation.
Toward that end, last month, the Department of Defense, in partnership with the Department of Homeland Security, established a pilot program with a handful of defense companies to provide more robust protection for their networks. In this Defense Industrial Base—or DIB—Cyber Pilot, the Defense Department is sharing classified threat intelligence with defense contractors or their commercial internet service providers along with the know-how to employ it in network defense. By furnishing network administrators with this threat intelligence, we will be able to strengthen the existing cyber defenses at defense companies.
In the DIB Cyber Pilot, the U.S. government will not be monitoring, intercepting, or storing any private sector communications. Rather, threat intelligence provided by the government is helping the companies themselves, or the internet service providers working on their behalf, to identify and stop malicious activity within their networks. The pilot is voluntary for all participants.
Although this pilot breaks new ground on several fronts, we have a long way to go, and a lot of work to do, before our critical infrastructure will be fully secure. But by establishing a lawful and effective framework for the government to help operators of one critical infrastructure sector defend their networks, we hope the DIB Cyber Pilot can be the beginning of something bigger. It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.
Without question, developments in cyberspace have redefined the front lines of national security. Within a few short years, information technology has transitioned from a support function to a strategic element of power in its own right. As a result, future conflicts will unquestionably have a cyber dimension.
The doctrine, organizational structure, and resource allocation of our defense ministries must change to reflect this new reality. But our efforts cannot end there. The challenges we face in cyberspace are not amenable to narrow solutions. No single agency can tackle the required issues. No one nation can devise or enforce a sustainable solution. And no combination of nations can succeed without partnering with private sector companies. The range of actions necessary to enhance cyber security will require engagement in our defense institutions, across our governments, between our nations, and between the public and private sectors.
In short, we must work together, as everyone—from ordinary citizens, to the owners and operators of critical infrastructure, to our warfighters on the front lines—has a stake in cyber security.
Like other security challenges that galvanize like-minded nations, cyber threats can be more ably defeated through collective action. And just as we have for the last sixty years, I am confident that we can act collectively against this threat, and make the investments in capability and interoperability necessary for us to prevail