Deputy Defense Secretary William Lynn said Tuesday that the U.S. government is "moving aggressively" to counter evolving cyberthreats and is currently in the final stages of a comprehensive cyberstrategy review. The time to act is now while cyberattacks are still "relatively unsophisticated in nature, short in duration, and narrow in scope," he said.
The danger is that powerful cybertools already exist that one day could be deployed by the nation's adversaries to potentially cause severe economic damage, physical destruction, and even loss of life, Lynn said in a keynote address at the RSA security conference in San Francisco.
"We must have the capability to defend against the full range of cyberthreats," Lynn said. "This is indeed the goal of the Defense Department's new cyberstrategy, and it is why we are pursuing that strategy with such urgency."
A New Domain of Warfare
FBI Director Robert Mueller, CIA Director Leon Panetta, and Director of National Intelligence James Clapper have already told the House Subcommittee on Emerging Threats and Capabilities that sophisticated cyberattacks could place the nation's security in jeopardy.
"Each of them said it was very serious," said subcommittee Chairman Mac Thornberry (R-Texas). "In fact, Clapper testified that 'The threat is increasing in scope and scale, and its impact is difficult to overstate.' And our vulnerability is growing because our dependence on cyber is growing in just about every aspect of our lives."
Though the open, transparent and interoperable nature of the worldwide web has endowed it with undeniable dynamism, it has also given attackers a significant advantage that becomes obvious when comparing antivirus software to the malware it attempts to defeat, Lynn said. "Sophisticated antivirus suites now run on about 10 million lines of code, yet malware written with as little as 125 lines of code has remained able to penetrate antivirus software," he observed.
The Defense Department has already formally recognized cyberspace as a new domain of warfare -- like land, air, sea and space, Lynn explained. "Treating cyberspace as a domain means that the military needs to operate and defend its networks, which is why we established U.S. Cyber Command," Lynn told the RSA attendees.
Furthermore, U.S. military services need to be organized, trained and equipped to perform cyber missions. "Each of the services has recently created organizations to do just that," Lynn said. "In short, to maintain our national security, our military must be as capable in this new domain as it is in the more traditional domains."
A Cooperative Effort
Lynn suggested several avenues of industry-government cooperation need to be pursued under the Defense Department's forthcoming Cyber 3.0 strategy. "We need the scientific community to help strengthen our network architecture" even as Cyber 3.0 seeks to foster "the sharing of information" about potential threats between the U.S. government and the private sector.
Lynn also called for the development of active cyberdefenses that "operate at network speed using sensors, software and signatures derived from intelligence to detect and stop malicious code before it succeeds." Moreover, the military's evolving cybercapabilities will need to be built so they can be made available to civilian leaders to help protect the networks that support government operations and critical infrastructure.
"It is clear that securing our networks will require unprecedented industry and government cooperation," Lynn observed. "With the threats we face, working together is not only a national imperative -- it is also one of the great technical challenges of our time."
Cisco Systems Vice President John N. Stewart commented, "Commercial enterprises, such as Cisco, have built a global threat-correlation system that protects both government and enterprise customers alike, here in the U.S. and around the world. We are collaborating today to increase the effectiveness of our defense systems, while private business and law-enforcement organizations are working together to increase the consequences on those committing these crimes."