Foreign Affairs LIVE: The Pentagon's New Cyberstrategy

Thursday, September 30, 2010

Deputy Secretary of Defense William Lynn discusses the various new strategies used by the Pentagon to identify information technology threats, combat cyber warfare, and protect U.S. infrastructure.

NICHOLAS THOMPSON: I'd like to begin by asking everybody to please turn off -- don't just put on vibrate -- your cell phones, pagers and other devices. I'd also like to remind members that this meeting is on the record.

Today's speaker is William Lynn. He is the deputy secretary of Defense. He's also the author of a piece in the current issue of Foreign Affairs, "Defending a New Domain: The Pentagon's New Cyberstrategy."

So, welcome to the podium, Secretary Lynn.

DEPUTY SECRETARY OF DEFENSE WILLIAM J. LYNN III: Thanks. Thanks very much, Nicholas. I appreciate the opportunity to come to the council. I see there's a -- I was just testifying before Congress, and there's at timer right here. It's great. It's just like Congress. Well, hopefully -- actually, hopefully not. (Soft laughter.)

But the -- it's a pleasure to be here in New York. It was terrific working with Richard and the team at Foreign Affairs on the article, and I appreciate the opportunity to talk a bit about the article on cybersecurity with you all.

It's a little it bit odd for somebody my age to be talking about cyber, because I'm kind of in between. On one hand, I'm old enough to be somewhat fluent in cyber and then, you know, I have of course a BlackBerry and a cell phone. I even have an iPad.

On the other hand, I don't know how any of these things work, and I pretty much left off the technical side when I could learn to program my VCR. So it -- the technical side of this is not going to be my strength.

But what I do want to talk about is, I want to talk a bit about the attributes of the threats I think that we face, the vectors that those threats could come down, and then about the strategy that we've -- we're developing at the Pentagon to deal with at least the military side of that threat.

And in the article -- and I'll start here too -- I started with an incident which was a seminal moment for cybersecurity in the Pentagon. It was an intrusion in 2008 into our networks, and that intrusion extended to our classified networks. And to that point, we did not think our classified networks could be penetrated. So it was -- it was a fairly shocking development. It happened by -- it happened with a thumb drive transferring data from the unclassified networks to the classified networks, happened in the Middle East.

We spent a lot of time, energy and money remedying the situation. That operation was called Operation Buckshot Yankee.

And it led to a new approach to cybersecurity in the Pentagon, and I want to -- and we've extended on that now with our strategy, and I want to come back to that.

But before I get to what we're doing about it, let me describe how I think you ought to think about the threat. And there are several characteristics that you ought to think about when you're thinking about cybersecurity.

The first is -- is that we use the word "asymmetric" fairly frequently now in warfare, but it is particularly true in cybersecurity. It is a very -- it requires a very low cost for people to develop cybersecurity -- cyberthreats, malware that can intrude on information technology systems.

On the other hand, the defending against those threats requires a substantial investment. And let me just give you one nugget as an example of that.

A -- some of the most sophisticated integrated defense softwares that are commercially available now have 5 (million) to 10 million lines of code, and they are massive, work-intensive, difficult products to develop.

The average malware has stayed constant over the last decade, and it's about 175 lines of code.

So you get a -- the disproportion there between the offense and the defense is substantial and will, I think, remain so for a while. I want to talk about how we might change that towards the end.

A second characteristic of cyberthreats is the difficulty of attribution. A keystroke can travel around the world twice in about 300 milliseconds. That's as long as it takes you to blink your eye. Yet the forensics of identifying an attacker can take weeks, months or even years, and that's if you can do it at all. Going back and figuring out where an attack came from is extremely, extremely difficult and by no means a sure thing.

What that means -- that has some real importance in that it starts to break down the paradigm of deterrence that was the undergirding of the -- of nuclear forces in the Cold War. If you don't know who to attribute an attack to, you can't retaliate against that attack, so there -- you can't deter through punishment, you can't deter by retaliating against the attack. This is very different, of course, than a -- you know, with nuclear missiles, which of course come with a return address. You do know who launched -- who launched the missile.

Our -- this is, I think, further complicated by the third attribute I'd talk about in terms of cyberthreats, which is that they are offense-dominant, that the Internet was developed -- was not developed with security in mind. It was developed with transparency in mind; it was developed with ease of technological innovation; it was developed with openness in terms of the system design. But it was not developed with techniques of security management, like secure identification. Those kinds of techniques were not built into the -- into the networks.

And so structurally you will find that the defender is always lagging behind the attacker in terms of developing measures and countermeasures. So adept programmers will always be able to find vulnerabilities. They will always be able to challenge security measures. So as we look towards a strategy, our view is that you cannot adapt -- adopt a fortress mentality, a Maginot line of firewalls and intrusion-detection devices. You need to be far more innovative and active than that. And I'll talk about that in just a second.

But let me talk -- before I get to the strategy -- a little bit about where the vectors of the attack might come from. The first and most obvious and most talked about is through the network itself. The -- you can -- you can attack over the Internet itself; you can use messages and -- to develop ways into networks. But those are not the only ways. You can also come across the supply chain. And you don't -- from the Pentagon's perspective, it isn't only about the military networks. The critical infrastructure networks are equally important, as well: the power grid, the transportation network, the financial systems are critical to our economy and therefore critical to national security.

So how do we propose to respond to this? At DOD, we're laying out a strategy, and the strategy has five pillars. The first of the pillars is that we need to and have recognized cyberspace for what it is: a new domain of warfare. Like land, sea, air and space, we need to treat cyberspace as a domain we will operate in, that we will defend in and that we will treat as a -- in a -- in a military doctrinal manner.

Now, that means we need training, we need doctrine, we need organizations. It's what led us to create a command for cybersecurity, the cybercommand, subunified command underneath the Strategic Command. Gives us a single chain of command for the individual services to present their forces and for the cybercommand to deploy cybersecurity assets as we need them. So that's the first pillar.

The second pillar -- I've referred to a couple of times -- is that defenses need to be active. They need to include the two generally accepted commercial passive lines of defenses -- that is, just ordinary hygiene, that you download the patch, that you update your software, you keep your firewalls up to date. And you also need perimeter defenses, the second line you most find in commercial defenses: You need intrusion-detection devices, you need monitoring software. You need all of those things.

And those things will probably be effective at this point -- and this is just a rough estimate -- they're -- probably will help you with about 80 percent of the attacks that you could see today. The last 20 percent -- and then -- again, it's a very rough estimate -- but the most sophisticated attacks ultimately will not be deterred or stopped by a -- essentially a patch-and-pray approach.

What you need is a far more active set of defenses. You need things that work by identifying signatures in advance and screening that -- screening out malicious code. It's a boundary of the network. And you can't assume, though, that you're going to get everything. You need software that's going to be able to hunt on your own networks and find malware. You need to find -- when you find them, you need to be able to block them from communicating outside. So in other words, this is much more like maneuver warfare than the Maginot Line.

The third pillar of the department's cyberdefense strategy is that we need to participate in the extension of protections to our critical infrastructure. And I identify, what I mean by critical infrastructure is not individual users in their homes. I'm talking about the power grid; talking about the transportation networks, the financial networks -- those networks that undergird our whole economy.

For those networks, the governmental responsibility is with the Department of Homeland Security, and that's where it should be. But there are capabilities in the Department of Defense that the Department of Homeland Security can -- and we're working together with them, that they can access from the defense side of the equation, so that we can make sure that our critical infrastructure is indeed protected. So that's, I think, a third pillar in the strategy.

The fourth pillar is that cyberdefense is a shared activity; that collective defense is the approach that we ought to take; that there is a strong logic, as there was when we formed our alliances during the -- during the Cold War, NATO and the Asian alliances. And there are technical reasons for this. The more attack signatures that you're able to identify in advance, the stronger your defenses will be. So getting together with allies, identifying attack signatures, exchanging those signatures, exchanging technology -- essentially, using a Cold War concept, but updated, of shared warning -- is something that we need to pursue in the cyberdefense arena. And we have been doing this with our closest allies -- the U.K., Australia -- we've extended it -- Canada. We're now looking at -- to NATO. I think at the Lisbon summit you'll see, I think, a strong NATO statement on the importance of cyberdefense, and I see that as a(n) expansion of this collective defense concept.

The fifth and final pillar is that we need to continue to leverage the U.S. technological base so that we retain the technological edge that we have right now in the cyberarena. It's a -- I think it's a fragile advantage that we have, but it is indeed an advantage. We need to marshal our resources to ensure that we have the technological resources that we're going to continue to need to be able to defend our information-technology assets from wherever an attack might come.

I also think we need to use that technological innovation to try and change the terms of the equation that I described, where the attacker has such an advantage. I think over time we can develop techniques in the Internet that will -- that will even out offense and defense to a greater degree than we see now. And I think we need -- we're asking DARPA and some of the organizations inside DOD to take a look at ideas that might push us along that line. We're talking to industry about how we might do that. And I think over the long haul -- and by long haul, I mean 10 to 20 years. This is not a -- going to be a snap-shot solution. But I think over the long haul, we might be able to change the terms of the attack-defense equation.

Let me just wind up and just say, in just a few years, information technology has transitioned from just a support function at DOD to a strategic element of power in its own right. Indeed, the front lines of national security have been redefined. Any major future conflicts will almost certainly involve elements of cyberwarfare. And the threat posed by cyber extends far beyond military operations. It extends, as I indicated, to the very heart of our economy.

As I explained, our networks are -- were compromised two years ago. We think we've taken steps over those two years to make them substantially safer than they were then, but our lead in this area is fragile. We need to stay ahead of the threat. We need to develop the organization, the doctrine, the training, the resources to maintain our military networks, and work through Homeland Security to defend both our government networks and our critical infrastructure. With that, I'm happy to take your questions.

Right. No, I understand. I am changing seats.

THOMPSON: Thank you very much, Secretary Lynn. That was both interesting and encouraging. I'm glad -- many people have been saying the U.S. government needs to take a stronger stance in this area for a long time, and you clearly are leading that effort, so (a citizen ?) thank you.

The first question I want to ask you is one of the big debates in this area, which is civilian versus military control of all these matters. If there's an attack on us, it will presumably come from someone who's maybe using e-mail. It may be directed at a specific, you know, type of U.S. hardware. For example, we've all been reading this week about the Stuxnet attack, which is a virus which is specifically targeted at Siemens hardware, possibly in Iran, possibly elsewhere, but it's through a private company.

There will be layers and layers of private companies that will be involved in any attack. Many of these companies don't trust the government or have limited trust of the government. And if they do, they probably trust the civilian side more than the military side. How do you navigate this very complicated issue of where civilian control begins and ends and where military control begins and ends?

LYNN: That's a -- that's a good question, Nicholas. I mean, as I indicated in the talk, I mean, I think we've set up a structure in the U.S. government where the responsibility for protecting the civilian infrastructure as well as the government -- that works (wise ?) with Homeland Security. And I think that's appropriate, and I think that that somewhat is -- maybe reassures people along the lines that you were raising the question.

I think, though, that Homeland Security requires a collaboration with the Department of Defense, because much of the government's capabilities in terms of cybersecurity, cyberdefense reside with the -- with the Department of Defense, (with/which ?) the National Security Agency is the -- certainly the center of excellence for our department in this.

We need to develop a way -- ways in which Homeland Security can access the capabilities of NSA and DOD and use them for the -- with appropriate authorities in protecting civilian infrastructure, government infrastructure. I think the analogy probably is to what in jargon you call defense support for civilian activities, and by that I mean things like disaster relief.

When a hurricane hits the East Coast -- it feels like there's going to be one tonight -- the -- it's -- DOD has enormous assets, helicopters, transportation, logistics that can be provided to help. But it's FEMA that's in charge. And FEMA calls on those DOD assets, but FEMA is the organization in charge. And this is I think a similar kind of a situation.

THOMPSON: Are there red lines you specifically try not to cross -- for example, we will never ask a private company for information on U.S. citizens or something like that?

LYNN: Well, I mean, we're not in the business of asking for U.S. citizen information.

THOMPSON: But you would need -- if there were -- but if there were attacks through -- let's say you were -- you were tracing an attack, somebody had made an attack and you find -- found a signature, you found lines of code. And then you found that those lines of code had been discussed on a message board from a company that was hosted in the United (States ?). Would you feel that the Department of Defense could say, "Hey, we need all your user logs for this particular time or for these particular users"?

LYNN: I mean, if that happens, you end up -- there's a -- basically a law enforcement procedure and warrants. And it -- you don't -- it isn't a DOD issue. It goes into the law enforcement; it'd actually be an FBI question. If -- I mean, if NSA found something like that, they would hand it to the FBI; the FBI would pursue it.

THOMPSON: So that's not really -- (word inaudible).

All right, let's talk about another issue. I know that one subject that you can't really talk about is offense, and so I want to stay away from that. But I want to talk about deterrence. Is there -- one thing you would like to do is, you would like -- as you mentioned, you would like to deter attacks. And one way you could deter attacks is make it clear that if you do attack us, there will be consequences. Ideally, one thing you can do is get better, I assume, at tracking down where attacks come from.

LYNN: Yeah.

THOMPSON: I assume that's a major part of what you're doing.

But another thing you could do is, you could -- you could -- you could say it is the policy or you could make it clear that the policy is, if you catch somebody attacking, there will be consequences to that person or to that system; or if there's a major attack, there will be some form of technological retaliation. Is that something that is American policy or something you're considering?

LYNN: I mean, where you're going is what's the declaratory policy.

THOMPSON: What is the declaratory policy, yeah.

LYNN: Is that -- and that's -- I mean, I think that's something the -- that is under active discussion as to what it ought to be, what it ought to include. It's a -- but it's -- extraordinarily difficult challenge. As we were talking in the other room, the policy challenges here are tough.

And in this case, it's difficult to define exactly what is an attack. You can get to one extreme -- I mean, clearly if you take down significant portions of our economy we would probably consider that an attack. But an intrusion stealing data, on the other hand, probably isn't an attack. And there are -- enormous number of steps in between those two.

And so one of the challenges in getting a coherent declaratory policy is deciding at what threshold do you consider something an attack. You know, what threshold is it more like espionage or theft? And that -- I don't -- the -- I think the policy community both inside and outside the government is wrestling with that, and I don't think we've wrestled it to the ground yet.

THOMPSON: So at some point in the current administration do you think there will be a declaratory policy on cyberdeterrence of this sort?

LYNN: It's an issue that's being worked. I can't -- I can't give you a schedule for a result.

THOMPSON: (Laughs.) And you -- presumably you can't tell me the actual policy and not the declaratory policy.

LYNN: Right.

THOMPSON: (Chuckles.) We'll go no further.

I want to ask you about -- you know, we've seen -- we've seen some cyberconflicts. We've seen in Estonia the -- presumably Russian hackers shut down the banking system.

LYNN: Right.

THOMPSON: (Off mike) -- denial-of-service attack. We've seen in Georgia similar things happening.

Tell me what you think -- not 20 years out, but five or 10 years down the road, what are we going to see in these conflicts? How is this going to grow? Clearly, technology's improving. Clearly hackers are getting better. How big a part of future conflicts will cyberwar be, and in what way?

LYNN: I mean, I think it's going to be integral to future conflicts. I think sophisticated and maybe even relatively unsophisticated participants in a conflict are going to -- going to use cyber. As an analogy, I think -- I mean, if you kind of trace -- you know, if you figure the Internet is 20, 20-plus years old, and you kind of analogize to aviation, that puts as the -- kind of the first military aircraft was bought, I think, in 1908, somewhere around there. So we're in about 1928, is --

THOMPSON: (Laughs.)

LYNN: You know, so we've kind of seen some, you know, kind of biplanes shoot at each other over France.


LYNN: But we haven't really seen kind of what a true cyberconflict is going to look like. And I think it's going to be -- it's going to be more sophisticated, it's going to be more damaging, it's going to be more threatening. And it's one of the reasons we're trying to get our arms around the strategy in front of this rather than respond to the event.

THOMPSON: Yeah, (really ?). So what does -- what does 1941 look like?

LYNN: It's -- I mean, it's very hard to say. I mean, I -- you know, our ability to predict future conflict is in the -- even in the conventional arena's pretty limited. I think if you go back the last 30 or so years and you stood six months back from any conflict, you wouldn't have predicted it, with the -- I think the exception is the Iraq war, the -- it's the only one that I think you probably saw coming. The first Gulf war, Bosnia, Panama -- I don't think you would -- six months out, you wouldn't see any of those coming.

So I think it's very hard to predict them. I think you can see -- I mean, there's a -- you're kind of going to the characteristics. I think, you know, there's -- we are very dependent on information technology for much of our military capability, so I think you can see, you know, challenges to our ability to do precision targeting, to communicate. I think you can see, you know, challenges to our logistics systems, to our transportation systems. And I think you -- as I indicated, I think there could be threats to the -- to the economy.

THOMPSON: And what about -- I mean, there are people who, for the last decade, have raised the specter of, they'll control our UAVs and turn them around and then they'll shoot against us, or they'll blow up the power grid. And up until two weeks ago, I would have said, that's insane, no one can do that. There's lots of cyberespionage, there's lots of denial-of-service attacks. But now with Stuxnet, it seems we're moving considerably closer to that. Are you -- do you think we're five years, 10 years away from the first conflict where someone really does shut down a power grid? Or do you think that's -- (audio break) -- who knows?

LYNN: It's more the "who knows." It's hard -- I mean, I -- it's hard to say. I mean, I think the capabilities are being developed, as you said. As a Defense Department official, I think it's our -- we need to respond to those capabilities. I don't right now see -- you know, I don't -- we don't really see the intent out there among, you know, other nations to do that to the United States.

Now, terrorist organizations would be a different -- so I think you have to worry that either, you know, nations with sophisticated capabilities would get the intent for some reason, or terrorist groups who already had the intent will gain the capabilities. Either way, we need -- we need to be prepared to defend against sophisticated cyberattack.

THOMPSON: Which of those two keeps you up more at night? Is it the terrorist groups that don't have the technologies right now, or the sophisticated groups who don't have the intent?

LYNN: I think the terrorist groups.

THOMPSON: With developed technology? One more question that I think is -- I think is important and is starting to gain a lot of -- is related to the previous one, is that there -- a lot of people who are really raising this specter who also have, sort of to say, skin in the game, who say that we're approaching cyberwar, and also serve as consultants to cyber companies that are selling defensive systems. And there is -- people are starting to call it the cyberindustrial complex. How influential do you think this is over the debate? Do you think it's problematic, or do you think --

LYNN: I missed the --

THOMPSON: I said there are a lot of people making a lot of money off of selling cyberdefensive systems to the Pentagon. And these are often the same people who are saying, "They're going to knock our planes out of the sky! They're going to blow things up!" Many people don't know that they also serve as consultants, they're getting all these contracts. Do you think that the debate in this country is being shifted in a way that's unhealthy, or do you think this is all just fine and we'll come out as we all discuss this more?

LYNN: I mean, I think you always have to worry about, you know, conflict of interest and self-dealing. But I think, as we discussed in your earlier questions, the cyberthreat is real, and we need to develop capabilities to defend against it. And that's certainly going to involve industry. So we need to put the appropriate protections in for conflicts, but I -- it doesn't cause me to -- I don't think the whole thing is made up, if that's where you're --

THOMPSON: Well, that's -- no, that's not the question that I asked, but I think your answer is very clear and very helpful.

All right. We are going to now move to questions from the members. I'd like to remind everybody that -- to wait for the microphone, speak directly into it, state your name and affiliation, and please keep your questions concise because there are apparently going to be loads of them.

So, starting right here.

QUESTIONER: I'm Dick Garwin, IBM fellow emeritus.

In your very good article in Foreign Affairs, you indicate that we're probably ahead in offensive cyberwarfare, we're probably ahead in defensive cyberwarfare -- that is, better than other people at defending. But you imply that we may be behind in the defense against the offense, and that you hope that in 10 or 20 years we can reverse that. But in the meantime, we had better, in my opinion, be able to compartment certain groups, so that we can maintain the security and the operability of those networks in the face of attacks that would bring down lesser-protected networks.

And I know this is going on, but it's something that people should realize. The fact that there are successful attacks all the time doesn't mean that everything is vulnerable at the same time. Some things can be protected, and we have to keep that in mind.

LYNN: Well, I think that's right. I mean, I don't want to, you know, overstate the threat. It -- the -- there are capabilities out there that are very disturbing. But I think you're right, they can't -- you know, nobody can take everything down at once. And we have -- I mean, I think, actually, on the -- you know, the military side of the equation, we have -- you know, in the two years since the Operation Buckshot Yankee, we're not -- by no means perfect. But we're far more robust and redundant than we were two years ago.

Part of what I'm saying is I think that we can work along the same lines, through Homeland Security, to strengthen the protections in the rest of the government and strengthen the protections in areas of the economy that are critical to the operation of the economy, and thereby critical to national security. That's the line that I'm going in, so it's -- but it's not "the sky is falling," by any means.

THOMPSON: In the back here.

QUESTIONER: Hello. My name is Timothy Reuter (sp), and I'm affiliated with a company called TigerTrade.

In your earlier remarks, you talked about tighter integration with our allies, such as the U.K., Canada, Australia. What do you think is the value of negotiations and treaties with our competitors, such as China and Russia, where many people believe most of these attacks are coming from?

LYNN: I think it's a -- it's a very good question. I think international negotiations is something that we need to explore, to see, you know, can you establish norms that are going to make the world a -- safer for, you know, essentially, everyone.

I do think -- I think I indicated in the article, at least in an aside -- I do think we need to be careful about the model we think about for those negotiations, and that traditional arms control negotiations, with verification and strict limits, is probably the wrong model; that looking at a law enforcement model is better, and we already have some, I think -- some successes in the law enforcement area, particularly in the Council of Europe.

I also think that a public health model has some interesting applications. Can we use the kinds of techniques we use to prevent diseases, the kind of prophylactic techniques that get international acceptance? Could those be applied to the Internet? In -- and I think that -- I think that that's an -- and I think it's worth talking not just to our closest allies but to everyone about how to do that, and I think that that's something we need to think very hard about.

THOMPSON: Right here. Second row.

QUESTIONER: My name is Alex Zedgrov (sp). I'm the chair of Alec (sp) Group. My question to you goes to your definition of the attack. Like you said, it's not easy to define what constitutes an attack. And my question to you is, how do you deal with attacks that come from transnational organizations, terrorist networks? And in those cases, how do you identify the responsible party? If an attack was launched from a particular territory of a state -- it can be an ally or otherwise -- how do you hold responsible that same state? What steps are you going to take to protect ourselves? And -- that's my question. How do you distinguish between a state-launched attack, let's say from Russia or China, or a terrorist network? And how do you hold the state responsible who is possibly harboring those organizations?

LYNN: Well, I mean, that -- that's what drove me in a couple ways. I mean, that difficulty of attribution is inherent, I think, in the Internet, and if -- and in some cases you can never get to a place that you feel confident. In others it will just take you too long. And it's one of the reasons that I pushed on that second pillar, is that you need to look at active defenses because you may not be able to deter that kind of attack. You simply have to deny the benefit. So you may not be able to deter it with a retaliatory response, but if you deny the benefit of the attack, then you may be able to deter it that way, that they have -- if they don't get anything from it, they'll lose interest in the attack. So we need -- we need defenses that are far more robust than just conventional software patches and intrusion detection and fire walls. You need a set of defenses that are -- you have more confidence that are going to get a higher percentage of the attacks.

THOMPSON: To what degree did we figure out who was responsible for the 2008 Operation Buckshot Yankee attack that you mentioned at the beginning of your remarks and the beginning of the article?

LYNN: We did narrow it down, and I think we did identify -- we -- it was a foreign intelligence organization, and that's about all I'm going to say.

THOMPSON: So did -- I won't ask you which one, but did -- do you know which one?

LYNN: We did figure it out, yes.

THOMPSON: And did -- thank you. (Laughter.) I'm not going to get any further. Why ask?

Very back, please.

QUESTIONER: (Name off mike), Greenberg Traurig. How do you begin enlisting the 19- and 20-year-olds, who are born with cybergenes, in order to resolve or solve the problems that your generation and certainly mine know so little about?

LYNN: Well, I mean, it -- as I -- I kind of gave a -- kind of a warning about my technical expertise at the beginning. The -- we -- we're having, I think, quite good success at the National Security Agency, at DARPA, in hiring those 19- and 20-year-olds cybergeniuses. And it -- we -- I think they find the challenge exciting. I think the government is, I think, in this area in a exciting technological place to be part of, and it's certainly, I think, worthwhile to be part of defending your country. So we are actually having quite good success in recruiting those kinds of individuals.

THOMPSON: In the third row, please.

QUESTIONER: Ian Murray, Lanexa Global Management. I have a question that might not apply to you, might be more on the criminal side. But the wonderful thing about the Internet, of course, is, it's a network of networks without any central regulation. And so people who use it and people in technology get really when governments start talking about -- they want the ability to regulate and track down either criminals or terrorists. And so do you think there's a way the government's going to be able to do this effectively to get the outcome they want without ruining what makes the Internet such a tremendous asset globally?

LYNN: No, I do think so. I mean, I -- I've talked a lot about active defenses. None of the active defense techniques that I'm talking about I think impinge on the privacy of -- or the liberties of individual users. They don't -- they don't -- there's no need to get to that point. It's -- what you're talking about is parts of the economy that need to be protected.

And in general, in those kinds of companies, you're talking about proprietary networks that are controlled by companies. And so you have to work out arrangements with companies as to what they want to allow and what they won't. But you're never reaching the individual user -- the individual user, so that generally the privacy concerns and the civil-liberties concerns aren't raised with the kind of defense techniques we're talking about.

THOMPSON: Will you define active defense a little more? It means we don't just build a bunch of walls to stop people from getting into our systems, but we also --

LYNN: You need to be able to essentially operate on your own network on the assumption that they will have gotten in, and -- so that you need to be able to hunt on your own network, you need to be able to block communications out from your network to a -- an adversary server. So you need to be able to operate and maneuver inside your own networks to be able to conduct these kinds of (activities ?).

THOMPSON: And does it also mean, related to the past question, to know when someone has gotten inside of a related network, say a defense contractor's network, and is leading attacks on you, and to use the same mechanisms against that person there?

LYNN: You don't -- you don't need to protect -- the military networks, they don't need that. To protect the -- it may be that you want to extend that to defense industry; then you would have to get inside, then you'd have to get consent from that company and you have to work through the legal issues there.

THOMPSON: Then you -- right.

And the third row in the center?

QUESTIONER: My name is Stanislav Terzhavsky (ph). I'm an engineer of (application security ?). There are always rumors -- well, actually, you mentioned that Internet by definition is an open and not reliable, not secure network. Are you working on anything fundamentally different, fundamentally secure, fundamentally robust?

LYNN: We -- we've got concepts that would be -- I mean, at a -- again, we're at the limits of my technical knowledge. There are concepts of trying to develop the Internet so it acted more like a human organism, so that it essentially, when it was hit with a virus, it mutated to respond and fend off that virus. And it -- so there are -- but that's about as far as I can go with that concept. But there are ideas like that that would change somewhat the nature of the Internet and that would shift the advantage much more to the defender and away from the attacker. But I think we're years and years away from seeing anything like that implemented.

THOMPSON: By that do you mean a sub-Internet within the Defense Department where all these things happen that act more like a human? Or do you mean changing the whole nature of the whole Internet?

LYNN: Well, it could be either. I mean, I think -- you'd obviously have to start someplace and, you know, if it worked, would it -- would it propagate.

THOMPSON: Okay. In the third row here.

QUESTIONER: My name is Duncan Card (ph). I chair the technology practice at Bennett Jones law firm in Canada. Three really quick questions. One, can you comment on Cyber Storm III? Secondly, on the diplomatic side, when you discover or you conclude that a particular government has been engaged in this activity, what are the diplomatic activities that are happening to stop that in the future? Thirdly, what do -- what does the United States need to do outside of its borders in foreign jurisdictions to protect itself?

LYNN: Cyber Storm III is an exercise that the U.S. government conducted both interagency and internationally to test out cybersecurity concepts. Your second question --

QUESTIONER: (Off mike.)

LYNN: It's -- I think it completed today. It's this week, yes. What was your second question?

QUESTIONER: (Off mike.)

LYNN: It's run by Homeland -- Homeland Security is running it. I'm not -- I'm not sure what their --

QUESTIONER: (Off mike) -- diplomatic efforts?

LYNN: On diplomat -- I mean, diplomatic efforts would be the same as any other. If we think, you know, somebody has done something that we object to, we use, you know, various means, including diplomatic, to object. I don't think cyber is different in that regard.

QUESTIONER: (Off mike.)

LYNN: I can't -- I can't get into comments on that.

THOMPSON: All right. We've got a question --

QUESTIONER: (Off mike.)

LYNN: Well, that was the fourth pillar I was talking about, is I think -- I think we do want a collective defense concept. We're exchanging signatures; we're exchanging, you know, how do we respond to those attack signatures and what kind of technology might be used. So I think it's a collective defense, shared warning kind of world that we want to live in.

THOMPSON: First the front left, and then the back right.

QUESTIONER: (Name inaudible) -- Lion's Path Capital. A new fiscal year starts tomorrow. I'm curious, if you look at budget plans over the next couple of years, do you think this is an area that's adequately resourced in DOD plans for all the things you'd like to do?

LYNN: Happy New Year. (Laughter.) The -- I'm an old comptroller, so this is -- the -- we have resourced this fully, we think. I mean, I -- frankly, I think this is an area as you find when you're in new areas where ideas are harder to come by than resources. It's -- you know, what's the next concept, how do you take it?

And it -- and so you -- and the ideas tend to at least start small, so it -- I don't -- I think ultimately you might face -- you know, depending on how big it gets, you might -- you might face resource challenges. I don't think we're at that stage of the development yet.

THOMPSON: To clarify, someone in the defense industry in a rapidly moving area with lots of needs has just said we don't need any more money.

LYNN: Yeah. (Chuckles, scattered laughter.)

THOMPSON: Excellent.

Back right.

QUESTIONER: Hi. Andrew Dodi (sp) of Clearing Price.

My question is, are we positioning ourselves to be the cop on the beat with cyber? For example, Iran reported their nukes -- nuclear mischief, was recently hacked, and the primary suspect was Israel. Brazil, not a usual suspect in this, was hacked fairly recently, which I think I found out watching Charlie Rose. So to form a question, are we stuck with being the cop on the beat to grown-ups in cyberspace?

LYNN: Well, no. I think it's the two lines that came up in earlier questions. I think we do want to work with our allies to develop our defenses. And I think to the question that was over on the left, I think we ought to look at regimes, public health, law enforcement, where we could establish international norms that might restrict some of the kinds of threats that we would face. So I -- but do -- are we going to be the enforcer? No, I don't -- at least, that's not the direction things have taken.

THOMPSON: Rafi (sp), front row.

QUESTIONER: Hi. Rafi Kachadorian (sp). I have two questions.

One is, you know, when the Air Force conducts a sortie in Afghanistan and they knock out some critical infrastructure, we often read about it and hear about it as kind of offensive operations. When the Marines do something in Helmand, let's say, you know, we'll hear about it shortly after. Well, how is it difficult in the realm of cyberwarfare for you to talk about offensive operations, let's say taking out an al Qaeda website or whatever it may be? Why in this realm is it harder to discuss the offensive side?

My second question is about in the context of WikiLeaks. Maybe you can have some -- share some thoughts on WikiLeaks. But in the broader sense, in terms of developing our cybersecurity, DARPA recently announced that it was accepting submissions or encouraging -- (inaudible) -- encouraging academics and other security specialists to think about how the problem of overclassification could be managed. And it seems that that would be an interesting way to sort of deal with containing or managing our secrets, especially some of the tactical information that we -- (inaudible) -- on WikiLeaks.

To what extent in the review and conversation that you're having on our managing overclassification part of our cybersecurity strategy?

LYNN: I don't think overclassification's so much come up in terms of WikiLeaks. But President Obama came in with a commitment to try and declassify as much as security warranted, and we've tried to move down that path.

In terms of the offensive operations, there's just very little that you can -- that you can say, beyond that we have -- we develop the capabilities we think we need to defend against the threats that we see out there, and it's -- beyond that, I can't really expand.

THOMPSON: There in the back.

QUESTIONER: Harriet Pearson, with IBM Corporation.

What's -- to go back to collective defense, what's your perspective on the U.S. strategy or role in trying to maintain some level of consistency in how governments look at procurement as an area for supply chain? You mentioned supply chain earlier, for example. You know, India, for example, has been attempting to look at telecommunications networks and the security or the integrity of products there. Other governments have been trying to look at the same. What's the role of kind of a global approach there -- or at least, an allied approach -- to maintain some consistency of approach and in support of economic development there, too?

LYNN: You know, I think that's a good thought, that the -- that the collective approach to the supply-chain threat has real merit. I do see -- I mean, the supply-chain threat: that is, the equipment that you gain may itself be compromised before you've even begun to operate it.

I don't think an approach of just trying to build everything behind a fence is going to work. We're going to have to have far more sophisticated techniques. I think IBM, Microsoft, some other companies have developed some risk-management techniques, some randomization in terms of where equipment's going, some approaches to testing. And I -- it's going to -- there's never -- there isn't going to be a silver-bullet solution to this. It's far too complex a problem. So you're going to have to find layers of solutions that, hopefully, make it too costly for somebody to pursue that; that it's going to be too random an event for them to succeed to be worth the -- to be worth the effort. I think that's far more -- and I think using our allies in that -- in that effort makes a lot of sense.

THOMPSON: Similarly, do you ever use, or do you have a declaratory policy of setting up honey pots, for example, within the Defense Department, whereby you put up caches of information that may look like they're relatively easy to get, but are actually traps for false information, or things like that?

LYNN: Well, if we did that, I wouldn't tell you. (Laughter.)

THOMPSON: Well, you might -- but you might have an incentive to tell me that you do that, so that I would try not to get the real stuff. Could be playing a double-game here.

Next question -- well, actually, I want to ask one more question about espionage, which is something you were talking about a little bit -- a little bit earlier downstairs; which is there are -- there are real, actual spies. There are, you know, Russians who infiltrate, you know, New York City, as we know. And there are also people who hack into our systems and steal our stuff, and we've seen several citizens who've been working with the government of China have been recently sentenced. Have we reached the point where the balance of what we should be worried about has shifted into the cyberarea, away from the -- other side?

LYNN: I mean, I think in the cyberarea the threat has often become a multiple, so that, you know, in the, you know, Cold War days, World War II days, somebody would steal a book or a formula; now they -- you know, with the cyber, if they get inside, they might steal the whole library. And so that it's multiplied that way.

I also think -- you didn't go this way, but I'm going to take it -- is in terms of when you look at export controls, we're trying to control exports of various technologies. Now, we want to reform that, but at the same time, you can see in the cyberarea that the -- you know, that the designs are going out through -- being exfiltrated through a cyberintrusion. And so, you know, we may be watching the wrong -- the wrong post, as it were.

THOMPSON: Fair enough. Okay.

Fourth row.

QUESTIONER: Hi. I'm Adam Segal, from here at the council.

You mentioned that you didn't think we'd be moving very forward on traditional arms control agreements. And this is probably not the best time for these kind of conversations, given our current relationship with China and the way that military-to-military contacts are going. But if we were to have a discussion with China about norms of behavior, what types of things do you think we could actually move forward on, or what types of things would you like to know that the Chinese are thinking about -- thresholds, declarative statements, types of things that they would hold at risk? What do you think we could actually accomplish in the short term?

LYNN: Well, I mean, I certainly think, and Secretary Gates has been very clear, that we ought to have greater dialogue with the Chinese. And I think cybersecurity would be -- would be part of that dialogue. I also think we have been interested in getting both the -- in nations inside the law-enforcement regime that started in Europe a few years ago. And I think that that has promise, as well. So I think -- I think there are avenues that could be pursued.

THOMPSON: A question here on the left, fourth row.

QUESTIONER: Hi. Tom Davey, Council on Foreign Relations.

Secretary Lynn, your excellent FA essay doesn't discuss open-source software as a potential component of a defensive cyberdefensive strategy. Advocates of open-source software argue that it's inherently less susceptible to malware like the Stuxnet worm, which is propagated by proprietary software. What is DOD's attitude towards open-source software?

LYNN: I wouldn't -- I wouldn't -- I guess I wouldn't exclude it as a -- as a path. It's -- on military systems, open-source software has limits in terms of what we can use it for. We often have particular code that we need and that has to be done in a classified setting, and so that can limit us in some ways.

But I think, you know, your more general point that open-source software, because it mutates more and is updated more often, may be less vulnerable, I think that's something we need to look at in a variety of sectors.

THOMPSON: Okay. Over here on the right.

QUESTIONER: Nick Platt, Asia Society.

Mr. Secretary, do you have any advice for ordinary mortals like myself, who are struggling with their BlackBerrys and their iPads and so forth, to protect their sources of information -- bank accounts, et cetera, et cetera? Is there something you think we should be doing, or not doing?

THOMPSON: (Laughs.) Ordinary mortals --

LYNN: Well, I'm really way out of my expertise. But I think, you know, reading the literature, just keeping your software and firewalls up to date deals with the great majority of the threats. It's that -- the most common avenue, I think, for that kind of threat is people who just didn't download the patch and just didn't -- you know, just didn't get around to it. It's not -- it's not perfect, but it -- I think it deals with a -- with an enormous segment of it.

THOMPSON: Ordinary mortals who happen to be former ambassadors of perhaps the largest rival in cyberspace.

In the back.

QUESTIONER: (Off mike) Nickels (sp) -- from Reuters.

I just wanted to follow up on the Stuxnet virus. Where do you think it came from? Do you think its intended target was the Iranian nuclear plant? And how much of a concern is it? And also, what country do you think poses the greatest cyberthreat?

LYNN: I don't know where Stuxnet came -- the -- I think it indicates a -- you know, the challenging nature of the threats, that these threats are evolving and we have to be -- we have to -- that's why I talk about the technological innovation. We have to keep moving, because the threat is going to continually pace forward.

THOMPSON: By saying you don't know where it came from, are you saying that it did not come from the United States?

LYNN: I don't know.

THOMPSON: I think we have time for maybe two or three more questions, so up here.

QUESTIONER: Herbert Levin (sp).

At one point, you seemed to indicate that the main thing was to have a good defense here, because it was awfully hard to track down the perpetrators, the attackers. Then at another point, you referred to perhaps the World Health Organization, or even the IAEA, having international norms. I appreciate that we have a robust defense against nuclear attack and we are very strong in our support of the IAEA, but how do you handle these two things simultaneously? Because if you concentrate on your defense, not in building -- (audio break) --

THOMPSON: Oh, no, we've lost him.

LYNN: Yes. The council is censoring your question. (Laughter.)

QUESTIONER: There's a bit of a -- there's a bit of a contradiction there. And I do note that when we had an ACTA (sp), though that was about weapons, it was in the State Department. And then when we -- WHO was in another part of the U.S. government. Is the Defense Department really the best place to put this, from the standpoint of cooperation with the rest of the world, most of which are not our allies?

LYNN: Oh, I don't think it -- you're -- I'm not suggesting the -- Defense Department wouldn't -- if we have negotiations, it wouldn't be the Defense Department that would lead them. It would be -- it would almost surely be State.

THOMPSON: Right here in the front row.

QUESTIONER: Maera Jayno (ph), Columbia University. Could you say a little bit more about what the law-enforcement model offers? The reason I'm asking is because I think of it as working particularly well with jurisdictions that have similar protections, that allow for information-sharing. And there are very few of those. So when you're working with countries that don't have comfortable levels of protection within their own -- (off mike) -- how can you work across borders?

LYNN: Well, no, I think that's a -- part of the law-enforcement model is that the nations that subscribe to it would have to open things up more than they may be comfortable. And that may be a limitation of the law-enforcement model. I think you're right.

THOMPSON: Last question, if anybody had a final question. Right here in the -- on the back -- yes.

QUESTIONER: I'm Bob Lindstrom (sp) of Forbes magazine. Where do we stand with the plan and the obtaining of the finances to defend -- (audio break) -- utility system, the transportation system, the finance system? The reason I'm asking this is that six years ago I visited your facility in Albuquerque. They showed me -- they were running a model there that they could shut down the utility system -- (audio break) -- several cities -- (audio break) -- period of -- (audio break) -- didn't think that al Qaeda at that time had any real sophistication or capability of knowing how to utilize the Internet for doing something -- (audio break).

LYNN: Well, as I said, the lead on protecting critical infrastructure is with the Department of Homeland Security. We are -- we are working currently with them on developing approaches that would potentially extend to the areas that you talked about.

THOMPSON: Sort of an addendum to that question, which is, we have -- if somebody wanted to shut down our power grid, you couldn't shut down one thing; you'd have to shut down hundreds of power grids across the country, led by complicated bureaucracies. Is that -- from a truly cyberdefensive perspective, is that a good thing because it means we have a dispersed, complicated target? Or is it a bad thing because it's harder to manage and (to work ?) with all of those different power companies that are dispersed around -- (inaudible)?

LYNN: Well, I think more good than bad. I mean, I think -- (audio break) -- is going to be one of the primary techniques that you use in terms of defending. I just don't think you can rely on it -- (audio break). And that's why I'm pushing forward on more active defense techniques. But I think you're right: You can't just push a button and take everything down. So it -- having that disparate dispersal and somewhat different systems across different part -- different sectors and inside different sectors is an important protection.

THOMPSON: (Chuckles.) Excellent. So our immensely (complicated ?) power system, which no one has ever praised before now, has a real virtue to it.

LYNN: There you go.

THOMPSON: All right. Thank you very much for the fantastic session. I'm sure we all learned a lot. Thank you very much, Deputy Secretary Lynn. (Applause.) Tremendous.

LYNN: Thank you.

THOMPSON: Thank you. That was great.







Top Stories on CFR

Terrorism and Counterterrorism

Targeted operations by U.S. forces have eliminated notorious leaders of armed extremist groups, al-Qaeda’s Ayman al-Zawahiri the latest among them. But how much they disrupt these terrorist organizations is questionable.


Kenya’s next president will have to win more than just votes to gain legitimacy.


U.S. House of Representatives Speaker Nancy Pelosi became the first speaker in twenty-five years to visit Taiwan.