MR. WILLIAM LYNN: Well, thanks for staying. I think most of you -- all of you, I guess, were probably here for the presentation and the Q&A, so I think we ought to just go straight to questions.
Sure. Start --
Q: Sir, I wonder if you could tell us a little -- for Mr. Lynn, I wonder if you could tell us a little bit more about the March intrusion to the defense contractor that stole the 24,000 files; a little bit more about the damage that was done or who might have perpetrated it; was it a nation or an individual, and if it was a nation, who it was.
And for General Cartwright, this morning at the Defense Writers Group, you talked -- answering our questions a lot about deterrence and moving toward deterrence. Mr. Lynn, of course, talked a lot about how we need to make attacks ineffective by improving our defenses. I wonder if you could react a little bit to that and flesh out your thoughts there.
MR. LYNN: Well, let me start. The intrusion that I mentioned in March is the -- you know, just the latest in a series. We've been getting hit for, you know, the better half of five or six years in a serious way.
This was significant, and it was a -- was a defense contractor. It was a data related to systems that are being developed for the Department of Defense. It was large, 24,000 files. It was done, we think, by a foreign intelligence service. In other words, a nation-state was behind it. And we don't get into our understanding of exactly who that was.
GENERAL JAMES CARTWRIGHT: To the issue of where we're going in the future and deterrence-type strategies associated with cyber and then how they're incorporated into larger deterrence strategies, today we have a network that is essentially constructed around point defenses. In other words, you go buy a firewall and some sort of virus protection, you put it on your computer. That's a point defense. It tends to be the most inefficient defense there is, because you're static; in any attack on you, you're just always there. You just keep repeating it as often as you want, and there's really no penalty for doing it.
As you start to build the system out to layers, it becomes more difficult to attack, and as you start to build that out globally and add in sensors so you know what the attacks are, or you see them coming -- if you know what type of an attack is, you recognize it -- that gets you to be more efficient.
So then the adversary has to think their way through how to do that. The likelihood of being detected early, therefore preventing it in a larger area than just a single computer, goes up.
Those types of activities tend to affect those who would attack us. In other words, if they think they're going to be thwarted, if they think they're not going to be able to get the effect they desired to have, it changes their calculus.
To the extent that you add other measures, whether they be offensive in nature, associated with cyber, or whether they be law enforcement, or whether they be just demarches and diplomatic activities, if we can start to introduce those into -- they also tend to raise the price, but they're only effective if they're credible, so we have to have a system that recognizes an attack, registers it, and then allows us to react in a way that's appropriate, proportional, et cetera.
And so that's the discussion here, is, as we move to the future, fleshing out the command and control, fleshing out the sensor network and then building defenses that are more than point -- they have to be regional in nature, global in nature -- and then responses that are appropriate and proportional.
MR. LYNN: Sure.
Q: Eric Weiner, Tokyo Broadcasting System. Thanks for doing this.
You talked about international partnerships. Could you tell me whether or not you're coordinating with the Japanese at all, or plan to? And a second question is, what kind of threats does China pose?
MR. LYNN: We absolutely want to coordinate with the Japanese, and some steps have been taken, and we need certainly Japanese -- is a strong ally that we want to embrace in all aspects of our defense, including cyber. So we are -- we are reaching out to our closest allies, and beyond. This is -- this is beyond just your simple alliances. This is a community of interest, as it were.
MR. LYNN: Oh.
Q: (Off mic.)
MR. LYNN: I mean, China is an enormously capable nation in almost every sphere. Cyber is no exception.
Q: Bill Sweetman, Defense Technology International. Following up on this, why is -- I think many people are aware of who -- which nation stands to benefit most from cyber espionage, because it's a nation's adversary and it's in a rapid technological improvement mode. It needs that information. Why the reluctance to name the panda in the living room, and wouldn't it help the defenders to understand that, and therefore to know what information is most likely to be targeted?
MR. LYNN: With almost every nation, and certainly large nations, we have complex relationships that involve economic ties, military ties, and the -- and so you need to take account of all of those ties, and you need to think through how you want to interact with those nations and make your wishes known and make your displeasure known at any types of activities. And so we work our way through the diplomatic approaches that need to be taken if we feel that we have been threatened in any way.
Q: Amy McCullough, with Air Force Magazine. You mentioned that the DOD networks have been hit for the last five or six years. Can you -- can you quantify that at all on a monthly or annual basis?
And also, does DOD have the authorities that they need to enforce this strategy? I know that that's something that's come up repeatedly through congressional testimonies, and if not, what do you need, and where does that stand?
MR. LYNN: It's hard to quantify -- first part of the question -- it's hard to quantify these things. I mean, you know, the -- you know, networks are scanned literally millions of times a year, but the -- you know, does that amount to an attack? That's probably, you know, a stretch to say that. So you know, the number of significant intrusions is much, much smaller, but it's the scanning that leads to the information that feeds those intrusions. So it's hard to quantify. I guess the one thing I would tell you is it's on the increase and has been on the increase every year for the last five or six, and that's, I think, the troubling development.
In terms of authorities, you're -- we are in the area to protect our own military networks; I think we have the authorities that we -- that we need. The -- I think in terms of critical infrastructure -- protecting critical infrastructure is an important part of this strategy. The authorities really lie with the Department of Homeland Security, and DOD is the supporting agency in that regard.
And then more broadly, the -- as we -- you know, cyber security is relatively new, and we are looking at what kinds of changes need to be made to the legal regime. And the administration has a legislative proposal on the Hill, a significant part of it focused on giving us the kinds of authorities and developing the kinds of incentives in the commercial structure to improve defenses in critical infrastructure.
GEN. CARTWRIGHT: And I would just add to that, particularly for the Department of Defense and given who you represent -- I mean, if an airman has to have a set of rules for everything except cyber and then a separate set of rules for cyber, it's really difficult. So we're starting from the concept, use the laws that we have, understand the implications and where it applies and where it doesn't. And then to the extent that we need something more, make it a deviation, but don't try to invent an entire set of rules, laws, policies that only apply to cyber because it's really difficult, then, for us to teach and to make -- and apply it in conflict.
MR. LYNN: Why don't we go back there?
Q: Hi, Ben Dalton from TV Tokyo. I wanted to ask you gentlemen if you could articulate what scenario would justify the use of traditional military force.
MR. LYNN: Cyber isn't different than other areas in that way. If a -- if the effect of some sort of action reached the threshold that the nation and the president and the Congress considered it an act of war, we would feel we would have the response -- that we would have military response as an option, although again, we always look at use of military force as a last resort. We would try and exhaust other options before turning to that.
Why don't we go all the way back.
Q: Thank you. Tom Gjelten from NPR, for either of you. The strategy is largely silent on the offensive capabilities in this area. I'm wondering, one, if that reflects the unclassified nature of this document as opposed to the classified version, if that's where more of that might be detailed.
And more broadly, how important, in your judgment, is it for the United States to develop -- to continue to develop its offensive military capabilities in this area?
MR. LYNN: Let me take a shot and then ask Hoss to join in. It is important in terms of all of our military capabilities -- cyber included -- to have a full spectrum of capabilities. That said, the thrust of the strategy, as you correctly identified, is defensive, it is protecting the networks, because those networks undergird all of our capabilities, offensive and defense -- the ability to strike, the ability to navigate, the ability to communicate.
All of our military capabilities are based on our utilization of information technology networks. So the thrust of this is, how do we protect those advantages?
GEN. CARTWRIGHT: And I think this is a framework. This starts us down the path of building out both our defenses but our awareness skills and our ability to command and control on those networks. The command and control is not just for cyber. And so, understanding how it all integrates together and then where it makes sense to have cyber offensive capabilities, where they actually add value, and then whether or not -- again, this is a lot of R&D at this stage of the game. You know, where do we put our investments in that area are things that we're trying to understand. But we can't understand that until we understand the environment we're working in.
MR. LYNN: Here in the middle.
Q: Molly Walker, Fierce Government IT. Last week during congressional testimony, a DHS official cited problems in the cyber security supply chain. I was wondering, given the strategy's focus on DOD networks and the DIBs networks, if this will have any implications for acquisition, changes, new certifications, and emphasis on indigenous technologies?
MR. LYNN: Well, I mean, I think this strategy focuses on one particular aspect of the challenge, which is the threat across networks basically remotely, from other places. There are two other types of threats that you need to be conscious of. One is insider threats, and that's the whole WikiLeaks issue, and then there's supply chain, how do you protect the supply chain. I think that's really what you're referring to.
And we absolutely do need to think about how we protect our supply chain. There's an active group in the interagency process led by the White House trying to develop policies for that. It is difficult because -- you implied indigenous. It is not, I think, conceivable, given the breadth of Internet technology, to think that we're going to build everything that we need inside a ring fence and that we can just examine it and protect it as we build it. We're going to have to -- our supply chain is going to be global in the information technology area. So we need to accommodate that, and we need to develop means to get assurance of the security of the components of the equipment that we buy.
GEN. CARTWRIGHT: I think the other component to that is that not -- accepting the fact that you'll never have a purely perfect supply chain and that you'll always question, because you can't tell where your information flows throughout that supply chain, that we're going to have to have diversity in the supply chain. We're going to have to be able to say, if this particular component can be attacked, there needs to be more than one of that kind of component so that we have an assured path through diversity also, and layering those opportunities to have the ability to get through, not having the same networks, components, having diversity also in how that information is passed, and then diversity in how the information is encrypted or protected. We've got to be able to do it so that any one element gets compromised, we have an alternative path.
Q: Yes, thank you. Shaun Waterman from the Washington Times. Firstly, deputy secretary, are you concerned that the United States is -- might -- is seen as an aggressor in cyberspace overseas; I mean abroad, by foreigners? And is this -- is this strategy in any way designed to ameliorate that concern?
And secondly, do you see any possibility for the use of treaties to mitigate the threat, I mean, agreements with other countries about what kinds of weapons can be used? Or, you know, given that the advantage at the moment lies so much with the attacker, is that a -- is that a sort of nonstarter?
MR. LYNN: I mean, I think the thrust of the strategy here is to reinforce the defensive nature of our approach here. In terms of treaties -- I mean, I think we do need to pursue international forums and see if it's possible to set up international norms. I don't know whether those would take the form of treaties or other norm-setting vehicles, but I think, given the dependence that the United States has on information technology for both its military capabilities as well as its economic vitality, the higher the levels of security are on the Internet, the better it's going to be for us.
GEN. CARTWRIGHT: I mean, I might go at it just to say that as we start to understand the threat side of this equation, it is likely that we're going to have increased regulation of some sort on a global scale, in order to have an assurance level that we can get -- use these networks safely.
Q: Charlie Keyes, CNN. Thanks, gentlemen. I appreciate it.
From where you both sit, I was wondering whether the telephone hacking scandal in Britain raised any particular concerns, especially as the U.S. military experiments and tests and issues hand-held devices and smartphones for use in the field?
MR. LYNN: Geez, that was the -- actually, you know, I get to worry about a lot of things every day. (Laughs.) Telephone hacking in the U.K. actually wasn't one of them. (Laughter.)
I mean, I think beyond -- you know, obviously what -- the trend here is that the threat is moving up. It is becoming -- as I had suggested in the talk, it's moving up in terms of the level of destructiveness it might have, and it's moving out in terms of the number of countries and ultimately organizations and even individuals who might possess those capabilities. So those trends I think are worrisome.
And what I suggest is I think before those -- either of those dimensions gets too far, it's important for us to put in stronger protections in our military area and in our critical infrastructure area.
GEN. CARTWRIGHT: I guess I would go in the direction that it did worry me, and it does worry me; more from the standpoint that, to date, industry, in the chip sets that we use in our displays, the chip sets that we use in our phones, our other endpoint devices, don't -- are not currently configured to encrypt. And we're going to have to start to think our way through as a nation and as an industry, do we want to start to encrypt at the endpoint? And what are the implications -- new chips, et cetera -- that allow us to do that? And then, bring a level of security that can be graduated based on the threat but have a chip set in that that actually can respond to that.
We don't have that today. It's something that we're going to have to start to think our way through, because I think now the average citizen is starting to look for more secure ways to communicate and wants the opportunity to do that. And today, we pay a premium price to do that in the military. It's likely that that's going to start to move to the commercial sector.
Q: Hi. Two questions, first.
MR. LYNN: Where are you from?
Q: Oh, Courtney Kube, NBC News. Thank you for doing this.
Two questions. Back to the March hacking, or intrusion, what -- was this the biggest intrusion in these five or six years that you keep mentioning? And what was the U.S. response? Did you -- did you inform this other nation that you were aware that they had intruded on the network, and did you -- were there any diplomatic response that you can tell us about?
And then also, back to the "act of war" question, can you just give us more of an idea? I mean, in my mind, an act of war is something that leads to civilian death -- leads to deaths, or some sort of a major infrastructure breakdown or -- I mean, can you give us a better idea, some sort of an example of what an act of war would mean in a cyber realm?
MR. LYNN: Well, I mean, fortunately, we haven't seen it yet, so, I mean, it's -- and there is some value in keeping it somewhat ambiguous, as a -- as a deterrent. But it's ultimately that the damage, either human or economic, is such that the president and the Congress would treat it as an act of war and respond accordingly. And I can't give you precise dimensions.
In terms of the event, I actually don't think that the -- it was 24,000 files, which is a lot, but I actually -- I'd have to double-check, but I do not think that's actually the largest. It's very large, but I don't think it's the largest we've seen.
GEN. CARTWRIGHT: On the -- the act of war is a judgment. It's subjective. It's in the eyes of the beholder. A nation may determine, based on what it values, that an act of war or aggression has occurred.
The Law of Armed Conflict, however, is very precise, or much more precise. So in your earlier questions, when we were talking about a hospital, if you take down the patient records and therefore they can't be treated, that is a violation of the Law of Armed Conflict. And that's very clear. And then you have proportional responses that can be initiated against it.
So trying to understand in the area that you're talking about, an act of war, is one of these dialogues and debates you get into, and they really don't lead you anyplace, because at the end of the day, it's in the eyes of the beholder.
Q: And the diplomatic response, if there was one, to the March -- anything you can tell us?
MR. LYNN: There isn't.
Q: Thanks. Hi. I'm Dan Sagalyn of the PBS "NewsHour." Can you better define what constitutes a kind of attack that you guys would get involved in? Obviously if the Pentagon networks were attacked, that's very clear, but if like my news organization's website gets hacked, you're not involved. So in infrastructure there's a lot of -- what kind constitutes the kind of attacks that you guys would be most concerned about? And where are there attacks that you're not concerned about?
MR. LYNN: Well, I mean, concerned's probably the wrong word, but I mean, in terms of, you know, DOD, it -- criminal activity is -- I mean, we're not a law enforcement agency. So you know, for the kinds of criminal activity, we might have some technical expertise that we'd support, the FBI or other law enforcement agencies, and we'd be happy to do that, but we wouldn't be the prime -- in terms of criminal infrastructure, again, Homeland Security would be the primary agency, and we would again be supporting. It would only -- DOD would only take the lead if it got to where the -- some of the other questions were going -- if it got to a point where in the judgment of the leadership of the country, it required a military response.
Q: Hi. Ellen Nakashima -- Ellen Nakashima with The Washington Post. Third try is the charm. Ellen Nakashima with The Washington Post. To follow up again on the March 24th incident, as well as the act of war or use of armed force, was the theft of the 24,000 files related in any way to the secure ID token compromise? And can you quantify, in terms of terabytes, how much data was taken or in monetary terms how much it was worth? And how long had it been going on when it was detected?
And then I have an act of war question.
MR. LYNN: The -- what was your first question? (Inaudible) --
Q: Was it related to the secure ID --
MR. LYNN: Oh, was it the RSA? Yeah, I don't believe it was related to RSA.
In terms of the economic value, it's -- I mean, it's -- you know, information related to, you know, weapons systems and defense equipment's very hard to value in that way. And it was 24,000 files, and I can't translate that into terabytes.
Q: Any idea how much it set you all back in terms of development of that system?
MR. LYNN: I don't think it necessarily -- it set us back in terms of the development of the system. It more -- it compromised information relative to the design of military equipment.
Q: So as a result of that, the company and DOD is now going to have to redesign parts of this?
MR. LYNN: We're looking at that right now.
Q: OK. And what was the largest theft, cyber theft, in the last --
MR. LYNN: I'm not sure.
GEN. CARTWRIGHT: We'll go look it up for you. (Chuckles.)
Q: Will you? Get back with me? Thanks.
To help on the act-of-war question, what if a Stuxnet-like intrusion occurred with us and, you know, we had a nuclear facility and centrifuges were damaged? Do you think you would consider -- we would consider that an act of war or use of armed force that would justify a response? And if so, what kind of response? To both of you.
GEN. CARTWRIGHT: You're in the hypotheticals, so it's really difficult. But it's the output side of the equation, not the vehicle, that determines whether it's an act of aggression. So in this case, a cyber-vehicle -- you used Stuxnet as an example. But the question is --
Q: Damaged centrifuges, though.
GEN. CARTWRIGHT: So the question then becomes are those centrifuges critical to our national activities. If in the judgment of the national leadership that's true, then it becomes an act. If it is not, if it is ancillary and not considered that, is it law enforcement, is it something else, and then what are the appropriate tools and proportionality?
MR. : We have time for one more. Let's -- (off mic).
MR. LYNN: Sure. Yeah.
Q: OK. Thank you.
MR. LYNN: Right here.
Q: Amanda Palleschi, Inside the Pentagon. You had mentioned in the second pillar that you had worked on new sensors, software, engineering. What programs in the FY '12 budget, in your budget request, do you feel most address or what are the most key programs that you put forth? And how do you feel about the response you've gotten from members of Congress and the executive branch on those priorities and those programs so far?
MR. LYNN: So far, Congress has been supporting the proposals we've made for improvements in cyber security. I mean, the program underlying active defenses, one of them is called Tutelage. It's a system of active defenses that's run through the Cyber Command. So that is that program.
MR. : All right. Thank you very much for your attendance today.
MR. LYNN: Thank you.