In a keynote address at the Center for Strategic Decision Research’s 28th International Workshop on Global Security, Lynn described Defense Industrial Base Cyber Pilot -- called “DIB Cyber Pilot” for short -- in which the Defense Department, in partnership with the Department of Homeland Security, shares classified threat information and the know-how to employ it with participating defense companies or their Internet service providers to help them in defending their computer networks from attack or exploitation.
“Our defense industrial base is critical to our military effectiveness. Their networks hold valuable information about our weapons systems and their capabilities,” Lynn said. “The theft of design data and engineering information from within these networks greatly undermines the technological edge we hold over potential adversaries.”
Current countermeasures have slowed exploitation of U.S. defense industry networks, but haven’t stopped it, the deputy secretary told the audience, leading to DIB Cyber Pilot’s establishment last month with a handful of defense-industry companies, all of which volunteered for the program.
“By furnishing network administrators with this threat intelligence,” he said, “we will be able to strengthen the existing cyber defenses at defense companies.”
Lynn emphasized that the government will not monitor, intercept or store any private-sector communications through the program. Rather, he said, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks. The pilot is voluntary for all participants, he added.
Lynn expressed the hope that DIB Cyber Pilot could serve as an example of how a larger effort aimed at protecting the nation’s critical infrastructure -- its power grid, transportation system, financial system and other components -- might work.
“Although this pilot breaks new ground on several fronts, we have a long way to go, and a lot of work to do, before our critical infrastructure will be fully secure,” he said. “But by establishing a lawful and effective framework for the government to help operators of one critical infrastructure sector defend their networks, we hope the DIB Cyber Pilot can be the beginning of something bigger. It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.”
Meanwhile, Lynn said, attacks on military networks pose a growing threat.
“Information technologies have revolutionized how our militaries organize, train and equip,” he said. “They are at the core of our most important military capabilities: communications, command and control, navigation, and intelligence, surveillance and reconnaissance. But for all the military capability that information technology enables, it also introduces vulnerabilities.
“We learned this lesson in 2008 when a foreign intelligence agency used a thumb drive to penetrate our classified computer systems -- something we thought was impossible,” he continued. “It was our worst fear: a rogue program operating silently on our system, poised to deliver operational plans into the hands of an enemy.”
Network exploitation -- the theft of data from both government and commercial networks -- has been the most prevalent cyber threat to date, Lynn said. Foreign intelligence services have stolen military plans and weapons systems designs, and valuable source code and intellectual property has been stolen from business and universities. Recent intrusions at the International Monetary Fund, Lockheed Martin and Citibank join others in the oil and gas sector, at Nasdaq and at Google as further, troubling instances of a widespread and serious phenomenon, he added.
“This kind of cyber exploitation does not have the dramatic impact of a conventional military attack,” Lynn said. “But over the long term, it has a corrosive effect that in some ways is more damaging. It blunts our edge in military technology and saps our competitiveness in the global economy.”
Though exploitation has been the most common type of attack, the deputy secretary said, network disruption has emerged as a second cyber threat. In this type of attack, he explained, intruders seek to deny or degrade the use of important government or commercial networks. Such attacks occurred against Estonia in 2007 and against Georgia in 2008, he added, and an attack targeting eBay and PayPal was along similar lines.
“To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, largely reversible, and short in duration,” Lynn said. “But in the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.”
A third type of cyber attack -- destruction -- is the most dangerous because it uses cyber tools to cause physical damage, Lynn said.
“This development -- which would mark a strategic shift in the cyber threat -- is only just emerging,” he said. “But when you look at what tools are available, it is clear that this capability exists. It is possible to imagine attacks on military networks or on critical infrastructure like the transportation system and energy sector that cause severe economic damage, physical destruction or even loss of life.”
Lynn acknowledged the possibility that a destructive cyber attack might never take place.
“Regrettably, however, few weapons in the history of warfare, once created, have gone unused,” he added. “For this reason, we must have the capability to defend against the full range of cyber threats.”
As the cyber threat continues to move up a ladder of escalation from exploitation to disruption and, ultimately, to destruction, Lynn said, the groups that possess these capabilities also are likely to expand in dangerous directions.
The highest levels of cyber capabilities reside almost entirely in sophisticated nation-states, and so far, they primarily have deployed their capabilities to exploit and occasionally disrupt networks, rather than to destroy them, Lynn said.
“Although we cannot dismiss the threat of a rogue state lashing out, most nations have no more interest in conducting a destructive cyber attack against us than they do a conventional military attack,” he said. “The risk for them is too great. Our military power provides a strong deterrent. … We nevertheless must prepare for the likelihood that cyber attacks will be part of any future conventional conflict. We need cyber capabilities that will allow us to deter and to defend against the most skilled nation-state.”
However, Lynn added, the threat of a terrorist group gaining disruptive or destructive cyber capabilities may be the greater and more immediate concern.
“Al-Qaida, which has vowed to unleash cyber attacks, has not yet done so,” he said. “But it is possible for a terrorist group to develop cyber attack tools on their own or to buy them on the black market. The nature of cyber is that a couple dozen talented programmers, using off-the-shelf equipment, can inflict a lot of damage. Moreover, with few tangible assets to lose in a confrontation, terrorists groups are very difficult to deter.
“We have to assume that in cyber, as in other areas, if terrorists have the means to strike, they will do so,” Lynn added.