Thank you Nicholas.
I appreciate the kind introduction.
It is a pleasure to be here at the Council on Foreign Relations.
I have been working closely on cyber security this past year. I am here in New York to share the Defense Department’s perspective on this new and troubling threat.
Without question, the United States is the world's leading producers and consumers of information technology. It powers our economies. It enables almost everything our militaries do. But cyber also poses a threat. Our very reliance on cyber furnishes an obvious route for adversaries to attack us. Cyber is therefore a source of potential vulnerability.
Today I would like to share how the Department of Defense is addressing cyber security.
The Department of Defense operates more than 15,000 networks. We have seven million computing devices. 90,000 people are directly involved in the operation of our information technology.
We rely not only on our own networks, but also on many commercial and government networks outside the .mil domain. The fact is that our department depends on the overall IT infrastructure of our nation.
The threat to these networks is substantial. They are scanned millions of time a day. They are probed thousands of times a day. And we have not always been successful in stopping intrusions. In fact, we have experienced damaging penetrations.
As disclosed in a Foreign Affairs article I published this month, the Pentagon suffered the worst Cyber attack in its history in 2008. It began when an infected thumb drive was inserted into a military laptop in the Middle East. Malicious computer code placed by a foreign intelligence agency uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead that could remove data to servers under foreign control. It was any network administrator’s worst fear: a rogue program operating silently on your system, poised to deliver operational plans into the hands of an unknown adversary.
The cyber threat is here now, and the U.S. needs to confront it.
The Pentagon’s strategy concentrates on a few central attributes of cyber. First, cyber is an especially asymmetric technology. The low cost of computing devices means that our adversaries do not have to build expensive weapons, like stealth fighters and aircraft carriers, to pose a significant threat to our military capabilities. A dozen determined programmers, if they find a vulnerability to exploit, could pose a serious threat.
Knowing this, many militaries are developing offensive cyber capabilities, and more than 100 foreign intelligence organizations are trying to break into U.S. systems.
Cyber is also attractive to our adversaries because it is hard to identify the origin of an attack. A keystroke travels twice around the world in 300 milliseconds. But the forensics necessary to identify an attacker may take months.
Without establishing the identity of the attacker in near real time, our paradigm of deterrence breaks down. Missiles come with a return address. Cyber attacks, for the most part, do not. For these reasons established models of deterrence do not wholly apply. Even if the attached is identified, they may be a terrorist group with no assets to strike back at.
Deterrence in these circumstances will of necessity be based more on concepts of denial of benefit than imposing cost through retaliation. The challenge is to make defenses effective enough to deny an adversary the benefits of an attack.
Cyber is also offense dominant. The Internet was designed to be open and interoperable. Security and identification management were lower priorities in system design. Structurally, our ability to defend networks always lags behind intruders. Defenders must defend everything; adversaries only need a single failure to exploit.
In this environment, a fortress mentality will not work. We cannot hide behind a Maginot line of firewalls. As I will describe shortly, our defenses must be active.
The threat to our supply chain is another risk of the cyber age. We're pretty good at protecting our networks from attacks across the Internet, but what about people who get the equipment before it arrives? Remotely operated “kill-switches” and hidden backdoors can be written into the computer chips used in military hardware. The risk of compromise in the manufacturing process is very real, and in many respects is the threat we least understand.
Nor are cyber threats limited to the battlefield. Civilian critical infrastructure is also at risk. Computer-induced failures of our power grids, transportation system, or financial sector could lead to physical damage and economic disruption on a massive scale.
Our intellectual property also stands to be taken. The defense industry has been targeted. Designs for key weapons systems have been stolen. The threat to intellectual property housed by our universities and companies is less dramatic than a cyber attack on our infrastructure. But it may over the long term be the most significant cyber threat we face.
On top of all this, the cyber threat is evolving rapidly. With little historical precedent to inform us, we must be modest about our abilities to predict its future course.
To respond to these threats, the Department is developing a five-pillared strategy.
Our first pillar is to recognize cyberspace for what it is—a new domain of warfare.
Like land, sea, air, and space, cyberspace is a domain that we must operate effectively within. Cyberspace is the only domain that is manmade and largely privately owned, but it is nevertheless just as critical to our military effectiveness as the others.
To facilitate operations in the cyber domain, we need an appropriate organizational structure. So last June, Secretary Gates ordered the consolidation of our cyber organizations into a single four-star command, the U.S. Cyber Command.
U.S. Cyber Command provides a clear and accountable way to marshal the actions of the force as a whole. A single chain of command runs from the head of Cyber Command to individual units around the world, enabling the command to oversee all cyber operations and to direct the training and equipping of our force.
The second pillar of our strategy is to employ defenses that can respond to attacks at network speed, as they happen or even before they arrive.
In cyber, milliseconds can make a difference. So we have deployed a unique defensive system that includes three overlapping lines of defense. The first two are based on commercial best practices. One is just ordinary hygiene: downloading the patch to keep your software up to date, and making sure your firewalls are operating. A second uses intrusion-detection devices and monitoring software to establish a perimeter defense.
Ultimately, these two lines of defense are not enough to stop high-end threats. For that, you need active defenses.
Active defenses work by placing scanning technology at the interface of our networks and the open internet to detect and stop malicious code before it passes into our networks.
But in cyber, we cannot be perfect. Intrusions will not always be caught at the boundary. Some will inevitably evade detection. To find intruders once they are inside, we have to be able to hunt within our own networks. This too is part of our active defense capability.
The key is that active defense works at network speed to neutralize malicious code, thereby helping prevent the most sophisticated attacks on our networks.
The third pillar of our strategy is to ensure our critical infrastructure is protected.
The best-laid defenses on military networks will matter little unless our civilian critical infrastructure is also able to withstand attacks. So in the U.S. we are working closely with the Department of Homeland Security to evaluate how to secure nationally-important networks, including the computer networks used by the defense industrial base.
Collective defense is the fourth pillar of our strategy. Given the global nature of the internet, our allies can play a critical role in cyber defense.
Indeed, there is strong logic to collective cyber defense. The more attack signatures you can see, and intrusions you can trace, the better your defense will be. In this way the construct of shared warning—a core Cold War doctrine—applies to cyberspace today. Just as our air and space defenses are linked with those of our allies to provide warning of skyborne attack, so too can we cooperatively monitor our computer networks for cyber intrusions.
Some of our computer defenses are already linked with allies, most noticeably through existing signals intelligence partnerships with Canada, the UK, Australia and NATO. But far greater levels of cooperation are needed if we are to stay ahead of the cyber threat.
Our strategy’s fifth pillar is leveraging our own technological base. The Unites States enjoys unparalleled technological resources. Our strategy relies on carefully marshaling these advantages into superior military capabilities.
DARPA’s national cyber training range is one of the more recent illustrations of how technology can improve network security. In the military, we routinely exercise our units on target ranges and in a variety of simulations. However, we have not developed that capability in the cyber world. So DARPA, which helped build the internet decades ago, is now developing a national cyber training range—in effect a model of the internet. Once operational, the training range will allow us to test capabilities before we field them.
We are also challenging the scientific community to rethink the basis of our network architecture—how we could redesign or retrofit hardware, operating systems, and computer languages with cyber security in mind. Our information technology infrastructure will not change overnight, but over the course of a generation we have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today’s technology.
The reality is that in a few short years, IT has transitioned from a support function to a strategic element of power in its own right. Without question, cyber has redefined the front lines of national security. Any major future conflict will involve elements of cyber warfare.
Our networks are far safer than they were just two years ago. But to stay ahead of the cyber threat, the Department must continue to incorporate cyber into our doctrine and organizational structures.