Thank you Gilles.
I appreciate the kind introduction, and would like to thank everyone here at SDA who helped make my visit possible.
It’s a pleasure to be with you today here in Brussels, where I worked at the very beginning of my career.
This past year I have focused a great deal on cyber security. I am here to consult with NATO and European leaders on this new and troubling threat. Today I would like to share some thoughts about a strategy to ensure cyber security.
Without question, the countries of NATO are among the world's leading producers and consumers of information technology. It powers our economies. It enables almost everything our militaries do. But our very reliance on information technology also poses a threat. It furnishes an obvious route for adversaries to attack us. Cyber is therefore a source of significant potential vulnerability.
For the U.S. military, this vulnerability was highlighted by an incident in 2008, when the Pentagon suffered the worst cyber attack in its history. It began when an infected thumb drive was inserted into a military laptop. Malicious computer code placed by a foreign intelligence agency uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead that could remove data to servers under foreign control.
It was any network administrator’s worst fear: a rogue program operating silently on your system, poised to deliver operational plans into the hands of an unknown adversary.
The cyber threat is here now, and both the U.S. and NATO need to confront it.
Our strategy must recognize a few central attributes of cyber.
First, cyber is an especially asymmetric technology. The low cost of computing devices means that our adversaries do not have to build expensive weapons, like stealth fighters and aircraft carriers, to pose a significant threat to our military capabilities.
Knowing this, many militaries are developing offensive cyber capabilities, and more than 100 foreign intelligence organizations are trying to break into U.S. systems. Some governments already have the capacity to disrupt elements of the U.S. information infrastructure.
What is true for the U.S. is also true for NATO.
Cyber is also attractive to our adversaries because it is hard to identify the origin of an attack. A keystroke travels twice around the world in 300 milliseconds. But the forensics necessary to identify an attacker may take months.
Without establishing the identity of the attacker in near real time, our paradigm of deterrence breaks down. Missiles come with a return address. Cyber attacks, for the most part, do not. For these reasons established models of deterrence do not wholly apply. Even if the attacker is identified, it may be a terrorist group with no assets to strike back at.
Cyber is also offense dominant. The Internet was designed to be open and interoperable. Security and identification management were lower priorities in system design. Structurally, our ability to defend networks always lags behind intruders. Defenders must defend everything; adversaries only need a single failure to exploit.
In this environment, a fortress mentality will not work. We cannot hide behind a Maginot line of firewalls. As I will describe shortly, our defenses must be active.
Nor are cyber threats limited to the battlefield. Civilian critical infrastructure is also at risk. Computer-induced failures of our power grids, transportation system, or financial sector could lead to physical damage and economic disruption on a massive scale.
Additionally, adversaries are targeting our intellectual property. Earlier this year Google disclosed it had lost intellectual property in a sophisticated cyber intrusion that also targeted dozens of other companies. The defense industry is especially vulnerable to this threat. Designs for key weapons systems have been stolen.
The threat to intellectual property is less dramatic than a cyber attack on our infrastructure. But it may over the long-term be the most significant cyber threat we face.
We must also ensure the integrity of our supply chains, so that hardware and software components are not manipulated before that are linked together in an operational system.
On top of all this, the cyber threat is evolving rapidly. With little historical precedent to inform us, we must be modest about our abilities to predict its future course.
To respond to these threats, the U.S. military is developing a five-pillared strategy.
Our first pillar is to recognize cyberspace for what it is—a new domain of warfare.
Like land, sea, air, and space, cyberspace is a domain that we must operate effectively within. Cyberspace is the only domain that is manmade and largely privately owned, but it is nevertheless just as critical to our military effectiveness as the others.
To facilitate operations in the cyber domain, we have created a four-star command, the U.S. Cyber Command. A single chain of command runs from Cyber Command to individual units around the world, enabling it to oversee all cyber operations and to direct the training and equipping of our force.
The second pillar of our strategy is to employ defenses that can respond to attacks at network speed.
In cyber, milliseconds can make a difference. So we have deployed a unique defensive system that includes three overlapping lines of defense. The first two are based on commercial best practices. One is just ordinary hygiene: downloading the patch to keep your software up to date, and making sure your firewalls are operating. A second uses intrusion-detection devices and monitoring software to establish a perimeter defense.
Ultimately, these two lines of defense are not enough to stop high-end threats. For that, you need active defenses.
Active defenses work by placing scanning technology at the interface of our networks and the open internet to detect and stop malicious code before it passes into our networks.
But in cyber, we cannot be perfect. Intrusions will not always be caught at the boundary. Some will inevitably evade detection. To find intruders once they are inside, we have to be able to hunt within our own networks. This too is part of our active defense capability.
The key is that active defense works at network speed to neutralize malicious code, thereby helping prevent the most sophisticated attacks on our networks.
The third pillar of our strategy is to ensure our critical infrastructure is protected.
The best-laid defenses on military networks will matter little unless our civilian critical infrastructure is also able to withstand attacks. So in the U.S. we are working closely with the Department of Homeland Security to evaluate how to secure nationally-important networks, including the computer networks used by the defense industrial base.
Collective defense is the fourth pillar of our strategy. Given the global nature of the internet, our allies can play a critical role in cyber defense.
Indeed, there is strong logic to collective cyber defense—and this is what brings me to Brussels today. The more attack signatures you can see, and intrusions you can trace, the better your defense will be. In this way the construct of shared warning—a core Cold War doctrine—applies to cyberspace today. Just as our air and space defenses are linked with those of our allies to provide warning of airborne attack, so too can we cooperatively monitor our computer networks for cyber intrusions.
Some of our computer defenses are already linked with allies. But far greater levels of cooperation are needed if we are to stay ahead of the cyber threat. Expanding our working relationship with NATO and its member countries is critical.
Our strategy’s fifth pillar is leveraging our own technological base. Like NATO members, the United States enjoys unparalleled technological resources. We must carefully marshal these advantages into superior military capabilities.
One of the more recent illustrations of how technology can improve network security is DARPA’s national cyber range. In the military, we routinely exercise our units on target ranges and in a variety of simulations. However, we have not developed that capability in the cyber world. So DARPA, which helped build the internet decades ago, is now developing a national cyber range—in effect a model of the internet. Once operational, the range will allow us to test capabilities before we field them.
A very significant question now looms. What does the cyber threat mean for NATO? Unlike nuclear aggression, cyber does not pose an existential threat to our societies. The nefarious uses to which cyber tools can be put nevertheless constitute a clear and present danger. Malicious cyber activities not only threaten the alliance’s ability to perform core missions. They also endangers our collective economic and physical security.
Looking ahead, it is easy to imagine scenarios where cyber could figure in the alliance context. Most immediately, NATO forces must be prepared to function in a degraded information environment. What would the alliance do if a cyber attack brought down its logistics network? Could NATO still perform vital functions with parts of its computer backbone offline?
So NATO needs to take decisive action. The alliance must be prepared to defend its civilian and military networks, and, if called upon, to help member nations defend their own. Active defenses, common security standards, and establishing an alliance-wide watch and warning network are each essential parts of an effective NATO cyber defense strategy.
A consensus for action on these fronts is emerging. I spoke before the North Atlantic Council yesterday and was impressed by the degree of agreement about the need for NATO to elevate its treatment of cyber. The Group of Expert’s conclusions establish a useful roadmap that many in the alliance embrace. The new strategic concept is poised to articulate cyber as a leading priority for NATO in the 21st Century. And the alliance is on the verge of making a high level commitment to cyber at the Lisbon summit.
NATO is also preparing to make organizational changes that will help it defend its networks and more fully integrate cyber into military planning. Establishing cyber as a higher organizational priority means greater levels of involvement by NATO’s top leadership and stronger in-house cyber defense capabilities.
In this regard, the commitment to take NATO’s Cyber Incident Response Center from initial operating capacity today to full operating capability by 2015 is a significant step in the right direction. The Emerging Security Challenges Division will also help inform NATO’s cyber posture.
Without question, cyber has redefined the front lines of national security. Within a few short years, IT has transitioned from a support function to a strategic element of power in its own right. NATO’s doctrine, organizational structure, and resource allocation must change to reflect this.
The alliance has a crucial role to play in extending a blanket of security over our networks. Like other security challenges that galvanize our alliance, cyber threats can be more ably defeated through collective action. NATO has a nuclear shield and will soon have stronger missile defense. We must ensure it has a cyber shield as well.
I am confident NATO can take on this challenge.
I am even more confident that in raising such a shield, the alliance will renew its role as vital guarantor of transatlantic security.