Remarks by Deputy Secretary Lynn at the 2011 DISA Customer and Industry Forum, Baltimore, Md.
MR. LYNN: Thank you General Pollett.
I am glad to join a diverse cross-section of our IT community at this conference. From civilians within the department and members of the military to all those in industry, the work you do to ensure the integrity of our information systems is crucial to every mission we undertake.
Now, General Pollett has been very kind in his introduction. But the truth is he really does not understand my job. General Pollett is not a deputy. He is someone who has a deputy.
What happens when you are deputy is that you are not in charge of anything. Issues come up to you. But if there are any easy issues, somebody below you makes the decision, takes credit, puts out a press release. None of the easy issues make it through. I only get the most difficult ones, where the choices range from truly bad to really awful. As a result, I get to choose which of several constituencies to upset. If a really attractive issue or easy decision somehow slips through, the Secretary reaches down, grabs it, takes credit.
In all seriousness, General Pollett has an impressive record of service at DISA. On the job since December 2008, he has deftly guided DISA through a time of immense change.
He has helped establish a technical roadmap towards an enterprise services “platform.” He has worked closely with the Pentagon to adapt to changes affecting the entire Department. And he has displayed strong leadership in the BRAC move to Ft. Meade.
Moves like this are never easy for individuals or families, let alone an entire agency. Especially when it stretches out commutes in Washington traffic. The Baltimore Parkway is not for the faint of heart.
The fact that DISA’s move went so smoothly is a testament to the resiliency of DISA staff. On behalf of the Department, I would like to express my appreciation for how well each of you have handled the transition.
Across the department, we face another kind of transition, one on which the future of our forces and security depend. And in this transition, DISA is on the frontlines.
Changes in information technologies have revolutionized how our militaries organize, train, and fight. The information backbone DISA provides enables our most important military capabilities. From ISR and global strike to navigation and command and control, our defense community relies on the networks you are responsible for to keep America safe. You provide the information technology foundation for the most effective fighting force in the world. And you do so at a time where technology is not stagnant, but rather in a constant and rapid state of evolution.
The same adaptability you demonstrated in your move to Fort Meade also manifests itself in the way you are able to react to technological change. One of the areas we are seeing the most amount of change is in the unprecedented and increasing series of cyber threats. It is clear that as this threat grows and transforms, so must our efforts to defense against it.
I have spent a great deal of my tenure as Deputy working on cyber security. My staff has been so deeply immersed in all the intricacies of the issue that each one of them deserves an honorary degree in computer science. Our work culminated last month with the release of the first ever Defense Strategy for Operating in Cyber Space. The strategy illustrates how cyber security is an issue that demands the full attention of the entire department.
The reality is that our reliance on IT presents a significant vulnerability. It is a reliance that you know very well. You are the professionals that help protect us from dangerous threats to our networks.
To date, the most prevalent cyber threat has been exploitation of our networks. By that, I mean the theft of information and data from both government and commercial networks. On the government side, foreign intelligence services have ex-filtrated military plans and weapons systems designs. Commercially, valuable source code and intellectual property has likewise been stolen from business and universities. The recent intrusions in the oil and gas sector and at NASDAQ join those that occurred at Google as further, troubling instances of a widespread and serious phenomenon.
This kind of cyber exploitation does not have the dramatic impact of a conventional military attack. But over the long term it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy.
More recently, a second threat has emerged -- and that is disruption of our networks. This is where an adversary seeks to deny or degrade the use of an important government or commercial network. And it happened in the denial of service attacks against Estonia in 2007 and Georgia in 2008. The effect is usually reversible. But the resulting economic damage and loss of confidence may not be.
To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, short in duration, and narrow in scope. In the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.
The third and most dangerous cyber threat is destruction, where cyber tools are used to cause physical damage. This development -- which marks a strategic shift in the cyber threat -- is only just emerging. But when you look at what tools are available, it is clear that this capability exists. It is possible to imagine attacks on military networks or critical infrastructure -- like our transportation system and energy sector -- that cause severe economic damage, physical destruction, or even loss of life.
Of course, it is possible that destructive cyber attacks will never be launched. Regrettably, however, few weapons in the history of warfare, once created, have gone unused. For this reason, we must have the capability to defend against the full range of cyber threats. This is indeed the goal of the Department’s cyber strategy, and it is why we are pursuing that strategy with such urgency.
We stand at an important juncture in the development of cyber threats. More destructive tools are being developed, but have not yet been used. And the most malicious actors have not yet laid their hands on the most harmful capabilities. But this situation will not hold forever. Terrorist organizations or rogue states could obtain and use destructive cyber capabilities. We need to develop stronger defenses before this occurs. We have a window of opportunity -- of uncertain length -- in which to gird our networks against more perilous threats. All of you will play a key role in helping us seize this opportunity.
The Department’s first-ever cyber strategy will guide how each military service and agency trains, equips commands our forces. It is a strategy based on five pillars. Let me describe them briefly.
First, the Defense Department has formally recognized cyberspace as a new operational domain -- like land, air, sea and space. Treating cyberspace as a domain means that the military needs to operate and defend its networks, which is why we established U.S. Cyber Command -- which is also housed at Fort Meade.
Second, we have equipped our networks with active defenses. It is not adequate to rely on passive defenses that employ only after-the-fact detection and notification. We have developed and now employ a more dynamic approach to cyber defense. Active defenses operate at network speed, using sensors, software, and signatures derived from intelligence to detect and stop malicious code before it succeeds.
Third, we must ensure that the critical infrastructure on which our military relies is also protected. The threats we face in cyberspace target much more than military systems. Cyber intruders have already probed many government networks, our electrical grid, and our financial system. Secure military networks will matter little if the power grid goes down or the rest of government stops functioning -- which is why the Department of Homeland Security’s cyber mission is so crucial.
Fourth, we are building collective defenses with our allies. Just as our air defenses are linked to those of our allies to provide warning of aerial attack, so too can we cooperatively monitor our computer networks for cyber intrusions.
The fifth pillar of our strategy is to marshal our country’s vast technological and human resources to ensure the United States retains its preeminent capabilities in cyberspace, as it does in other domains.
DISA plays a crucial role in our effort to address the cyber threat, and a key role in each part of the strategy. And nowhere is this role more important that DISA’s support of Cybercom. Together with Cybercom, DISA has operational control over our defense networks. I know the move to Ft. Meade has been difficult. But being co-located alongside Cybercom will strengthen each organization and reinforce our cybersecurity efforts.
DISA’s industry partners are also key to our cyber strategy. Our networks are mostly operated by the private sector. We rely on private sector networks and services to operate nearly every facet of the Department. And the fact is that the private firms we depend on are susceptible to the same cyber threats we seek to protect .mil networks from.
It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies. In a single intrusion this March, 24,000 files were taken.
When looking across the intrusions of the last few years, some of the stolen data is mundane, like the specifications for small parts of tanks, airplanes, and submarines. But a great deal of it concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.
We realize that we must help our partners protect their networks. Toward that end, the Department of Defense, in partnership with DHS, has established a pilot program with a handful of defense companies. In this Defense Industrial Base -- or DIB -- Cyber Pilot, classified threat intelligence is shared with defense contractors or their commercial internet service providers along with the know-how to employ it in network defense. By furnishing this threat intelligence, we are able to help strengthen these companies’ existing cyber defenses.
The government has deep awareness of certain cyber threats. We have what some have termed a “special sauce” of malicious code signatures gathered from various intelligence efforts. Loading these signatures onto existing systems dramatically increases the effectiveness of cyber security. In this way, the DIB Cyber Pilot builds off existing capabilities that are widely deployed through the commercial sector.
Right now about 20 companies are involved in the 90-day pilot program. It is important to note that the pilot is voluntary for all participants, that the U.S. government is not monitoring, intercepting, or storing any private sector communications, and that the pilot has already stopped hundreds of attempted intrusions. The pilot also appears to be cost effective.
In the coming months, we will expand the pilot to the rest of the industrial base, as well as other key areas of critical infrastructure. DISA and industry partners will be crucial to making this initiative work.
We are developing this new cyber strategy at the same time we are entering a period of significant resource constraints.
For the past decade, we have lived in a world where we could meet new security challenges with increased resources. Going forward, we will not have that luxury. We are going to have to make hard choices. Our challenge is to accommodate changing fiscal circumstances without undercutting our military effectiveness.
IT has unique role in contributing to the budget drawdown. It is one of the few areas in which we can likely achieve pure efficiencies. By a pure efficiency, I mean being able to achieve the same results for less money
Deploying new IT approaches has the potential to be a big money saver. For instance, cloud computing holds potential to reduce IT costs across the enterprise. And consolidating data centers will yield significant savings for each service. We have closed eight data centers since the IT Reform plan was published, and we intend to close another 44 by the end of FY2011. These efforts are very important to the Department. The centrality of IT in our efficiencies initiative means you are “tip of the spear” in our effort to seek savings.
To help guide us through these significant challenges, we are lucky to have an extremely qualified leader at the helm. Many of you know our new CIO, Terri Takai. She is working directly with me and the Secretary to lead our efforts to streamline IT operations and improve IT investment. Beth McGrath, our Deputy Chief Management Officer, is also play crucial role making sure our management systems and IT systems are fully aligned. The Department’s success at financial management and achieving audit readiness in particular hinge on IT modernization.
DISA is not only central to the warfighter. It is central to the running of the whole department.
The message I would like to leave you with is that you are central to the effective operation of the Department in an era of downsizing. We will need your experience, judgment, and initiative to help modernize the department while saving money. Your efforts will save taxpayer dollars. But more important, they will benefit the warfighters, yielding huge dividends on the battlefield
So as you can see, we are at two inflection points: the role of IT and cyber security in our military power is more important than ever before. And given the potential savings generated by IT efficiencies, information technology is also helping us manage our fiscal situation
As IT professionals, you are on the frontlines of these efforts. You can identify areas where we can save money. And your work to give our warfighters the best technology can save lives.
So I would like to thank DISA and its partners for all of the vital work you do. As the theme of this conference notes, we are all a part of harnessing “The Power to Connect.”