Remarks at the Defense Information Technology Acquisition Summit
As Delivered by Deputy Secretary of Defense William J. Lynn, III, Grand Hyatt, Washington D.C., Thursday, November 12, 2009
Thanks very much, Mike. Appreciate the chance to be here, and thank you for your service as -- both in the acquisition position as well as secretary of the Air Force. You certainly have given more than can be expected of anyone in public service.
I want to thank the ITAC for the opportunity to address you here today. As Mike noted, I've spent time in both government and industry so I have perspectives from both, which isn't always good. I started in Congress, and Congress thinks it's pretty simple. You understand that you're pretty much in charge, you know what's going on, and those folks from DOD don't really know what they're doing. But then after I served in Congress for six years I went over to DOD and quickly understood that the people in Congress were a little bit parochial and narrow and maybe it's the people at DOD that had the right perspective. And then I got to industry and realized that, no, it's really neither Congress nor DOD -- they're both a little too narrow and they've got to have the breadth that industry has. Then I went back in government and my problem is that I don't know who to blame. (Laughter.)
So the reality of course is that today's challenges demand partnerships between government, between industry and Congress. This is especially true with information technology where innovation happens fast and most developmental work is done on the commercial side outside of DOD. The need for DOD, for Congress and industry to work together on information technology is what brings me here today.
As deputy secretary I'm responsible for insuring the department's smooth functioning -- which technologies to use, which weapons to buy, which business operations to employ. In information technology alone, we spend over $30 billion, so how we integrate information technology into our operations and structure its acquisition is among the most important determinants of our military power. That's why IT is the focus of the Quadrennial Defense Review, the department's once-every-four-years look at the threats we face and how we respond to them and what our national strategy should be.
As Secretary Gates said at the start of this QDR, quote, "The old paradigm of looking at potential conflicts as either regular or irregular war, conventional or unconventional, high-end or low is no longer relevant." We now face a world of hybrid warfare, insurgents with IEDs that can pierce heavy armor, terrorists that aspire to use cyberwarfare, and rogue states with weapons of mass destruction. These are the threats the QDR is grappling with. To defeat them we need military capabilities with maximum versatility across the widest spectrum of conflict.
In this new world of hybrid warfare, IT plays a crucial role. It gives our warfighters more information about the threats they face and it gives them tools to defeat them. When our soldiers leave their bases in Iraq and Afghanistan they travel with computers networked into powerful databases and support systems. Information that used to be squirreled away at headquarters or on file in Washington can now be accessed on displays in vehicles. Not too far away it will also appear on handheld devices that they can carry individually.
These systems make our battlefield and intelligence successes possible, yet many of them did not exist when the conflict in Iraq and Afghanistan began. They are here now only because of the dogged inventiveness of our troops in the field who refused to accept the slow speed of the acquisition process in Washington. Thanks to the leadership of Secretary Gates, their needs are now better supported by the department, but we need to do more. We will carry on winning on the battlefield only by continuing to build game-changing technology. Our challenge is to take wartime successes in innovation and institutionalize them department-wide.
IT acquisition is a challenge for the department for two primary reasons. First, traditional weapons systems develop mature technology in classified settings. With IT, development happens in the commercial marketplace. Mature technology is then imported into DOD systems, often with little further modification. Weapons systems depend upon stable requirements, but with IT, technology changes faster than the requirements process can keep up. It changes faster than the budget process and it changes faster than the acquisition milestone process. For all these reasons the normal acquisition process does not work for information technology.
On average it takes 81 months in DOD from when a program is first funded to when it becomes operational. If we take into account the continued growth of computing power, this means that systems are being delivered four to five generations behind state-of-the-art. By comparison, the iPhone was developed in less time than it would take DOD to budget for an IT program, and there are now 100,000 apps that enable users to customize the platform to their own needs.
The second problem with the current acquisition process is that it often fails to take into account end-user preferences. Our soldiers are digital natives. Information technology is a natural part of everything they do. Many of our enemies are digital natives as well. Unless we build systems for tech-savvy soldiers, we will continue to limit ourselves in the fight against tech-savvy enemies.
So what approach should we take to IT acquisition? A new approach to IT acquisition is taking shape inside the department as we speak. We recognize that information technology has never fit the classic acquisition model. The inherent modularity of IT, together with its rapid commercial innovation, means that the nature and lifecycle of IT platforms differs significantly from other weapons systems. Similarly, the government's role in maturing them is different as well. With most IT being developed commercially, our primary role is to design system architecture and to test vendor components.
Future IT systems will be continually reinvented as they age, allowing old platforms to be used for new missions. Our approach to acquisition must be mindful of this kind of thinking. We need to encourage the use of commercial technology. We need to emphasize open design protocols that make systems easy to modify, and we need to adopt service-oriented architectures that will allow vendors to be unable to monopolize systems with proprietary technology.
This approach to IT acquisition is already working inside the department. The Navy is applying it to its combat systems on submarines. With the exception of transducers and water-cooled racks, all of the hardware and 60 percent of the software is commercial. With an open architecture, new capabilities can be inserted each time a sub returns to base. A program that began with one submarine has now expanded to them all, proving that service-oriented architectures can work.
A more nimble IT acquisition process is even more important with the transition away from supplemental appropriations bills which had allowed us to deliver crucial warfighting technologies outside the usual budget acquisition processes. As we return to funding wartime programs through the base budget, we need to build greater responsiveness in our standing processes. We need to redirect IT systems from an 81-month march to obsolescence and put them on a path to meet warfighters' evolving needs.
Although IT enables tremendous gains, it's also a double-edged sword. There's no exaggerating our military dependence on information networks. Command and control of our forces, intelligence and logistics, the weapons and technologies we field all depend on computer systems and networks. Our networks therefore make a tempting target -- all 15,000 of them. This includes 7 million computers, laptops, servers and other devices.
This is not an emerging threat; this is not some future contingency. The cyber threat is here today; it's here now. There are more than 100 intelligence organizations trying to hack into U.S. systems even today. Foreign governments are developing offensive cyber capabilities. Russia and China already have the capacity to disrupt elements of U.S. information infrastructure. And the cyber threat does not end with states. Organized criminal groups and individual hackers are building global networks of compromised computers, botnets and zombies, and renting them to the highest bidder, in essence becoming 21st century cyber mercenaries. And terrorist groups are active on thousands of websites. Al Qaeda and others have expressed a desire to unleash coordinated cyber attacks on the United States.
So our defense networks are already under attack. They are probed thousands of times each day; they are scanned millions of times each day, and the frequency and the sophistication of those attacks are increasing exponentially. It's an unprecedented challenge to our national security. By virtue of its source, its speed and its scope, it marks a new development in the history of war. In the 18th and 19th centuries, ships crossed the oceans in days. In World War II, aircraft could cross the oceans in hours. In the Cold War, missiles could do it in minutes. Today we face cyber attacks that can be mounted in milliseconds. The speed has profound implications for how we mount a defense. If attacked in milliseconds, we can't take days, weeks or months to respond. We need to respond at network speed, before attacks compromise ongoing operations or the lives of our troops.
Fortunately, to this point cyber attacks on our military networks have not cost any lives, but they are costing an increasing amount of money, and the threat is there. In one recent six-month period, the department spent more than $100 million simply defending its networks. For all these reasons, the President has called the cyber threat one of the most serious economic and national security challenges we face as a nation.
So what is DOD doing about it? Our troops and the American people need to understand that DOD has built strong, layered and robust cyber-defenses. Over the years we've taken a number of critical steps. DOD has formally recognized cyberspace for what it is: a domain similar to land, sea, air, and space. Unlike the others, though, cyberspace is a man-made domain, but still it is a domain that we depend upon and we need to protect. Just as we need freedom of navigation on the seas, we need freedom of movement online. Just as we protect the front gates of our military bases, we must protect the back doors of our systems and networks that adversaries seek to exploit.
With your help we are taking further steps to make our networks safe. Our efforts fall into three general areas: culture, capabilities, and command. At DOD we are trying to build a culture of responsibility towards the use of information technology. It takes 90,000 personnel to administer, monitor and defend the 15,000 networks, but most are not formally certified in information assurance, so we're expanding our training and certification to build a truly world-class cyber workforce. And with 3 million employees, improving cyber security training and accountability has to be a priority. The same is true for our defense partners who need to protect sensitive information on their own classified networks. To help them achieve this mission, we share information on the latest threats and vulnerabilities. Defense contractors report incidents more quickly, and today we respond and recover faster as we did with the Conficker worm.
Second, we are developing a doctrine to cover how we protect cyberspace as a domain, how our forces will be designed and how they will be trained to protect and defend our networks. The ongoing Quadrennial Defense Review is assessing our current capabilities and will make recommendations on doctrine for the future.
Mounting an effective cyber defense also takes new capabilities. We subject weapons systems to extensive evaluations. We test the skills of our troops on training ranges, but we have no such equivalent in cyber security. DARPA, which helped invent the Internet decades ago, is leading our effort to build a national cyber range -- in effect a model of the Internet. This will allow us to engage in real-world simulations so we can develop, test and field new leap-ahead capabilities for cyber security. Many of you are involved in this effort. As we build new capabilities, we can't retreat behind a fortress of firewalls. Today's cyber threats are organic and are constantly evolving. Our cyber defenses must do the same. We can't afford a digital version of the Maginot Line. A better model is maneuver warfare, where new tactics and technologies allow nimble forces to out-maneuver foes.
The third area where we're taking action is command. Secretary Gates approved a new Cyber Command as a sub-unified command of the Strategic Command -- STRATCOM. It will lead day-to-day defense and protection of all DOD networks. But CYBERCOM is not intended to be the militarization of cyberspace. It will be responsible for DOD's networks -- the dot-mil world. Responsibility for federal civilian networks -- dot-gov -- stays with the Department of Homeland Security, and that's exactly how it should be.
To coordinate our national response to the cyber threat, the president has created a new White House office and will shortly be naming a White House cyber security coordinator to lead it.
So we're making progress, but we still have a long way to go. How we proceed will depend on how we answer some key questions -- questions that I hope you'll address in today's conference. These include, how can we deter and prevent cyber attacks? Deterrence is predicated generally on knowing the adversary, but in cyberspace it's often the case that we have great difficulty in identifying the adversary, so does the deterrent model apply? Or how does it apply in those kinds of circumstances?
Beyond DOD, how do we organize the government as a whole? Again, DHS is the lead for federal civilian networks, and DOD is proud to be coordinating with DHS and providing some expertise. DOD has employees that are part of the DHS-led Computer Emergency Response Team, and DHS employees help DOD respond to intrusions into our networks. We participate in each other's exercises and share the latest technologies.
Beyond government, how do we partner with industry? Neither the government nor the private sector can do this alone. The government needs industry, which owns and operates most of our nation's information infrastructure. The private sector needs government to establish coherent, effective laws and regulations. Public-private partnerships are still hard to forge in this world. It comes down to trust. Industry needs to trust government to protect proprietary information; government needs to trust industry to protect sensitive details of threats and vulnerabilities.
Beyond the United States, how do we cooperate internationally? Many cyber attacks on U.S. networks originate overseas. Botnet attacks involve computers all over the world. This raises complex issues of national sovereignty and international law. How do we defend ourselves in this global environment? When exactly is a cyber attack an act of war? We need to confront these questions. We need to confront them as a partnership between industry and government.
But we've only just begun. We've just begun to consider these questions. It's not easy working across so many sectors. It can be frustrating and at times exhausting. So I'd leave you with this simple observation: It's only 1928. By that I mean, we've just marked the 100th anniversary of military aviation, which began in 1908; 2009, however, is only the 20th anniversary of the World Wide Web. In other words, in terms of cyber security, we're at the 1928 point. We're still in the era of biplanes and dirigibles. We're still at the dawn of the Information Age. We still have decades of change and challenges ahead of us, decades of innovations we haven't yet imagined. There will be setbacks and failures along the way, but if history is any guide, this too is a challenge we can solve together; this too is an opportunity to meet our share of responsibility to protect the security of our people, to ensure the prosperity of our economies, and to uphold and preserve civil liberties. That's the spirit in which I join you today, that's the spirit the DOD will bring to this challenge, and that's the spirit our nation will need now and in the years to come.
Thank you very much.