A DoD Cyber Strategy To Prepare Our Military for Emerging Cyber Threats
A DoD Cyber Strategy To
Prepare Our Military for Emerging Cyber Threats
Remarks on the Department of Defense
Cyber Strategy. As Delivered by Deputy Secretary of Defense William J. Lynn,
III, National Defense University, Washington, D.C., Thursday, July 14, 2011
Source : U.S. Department of Defense.
Thank you Hans.
Returning to NDU is especially meaningful for me. I was a
fellow here at an evocative time. Reagan was President. Nuclear conflict with
the Soviet Union dominated defense scenarios. And the Berlin Wall appeared to
forever separate two mutually-antagonistic world-systems.
Yet even at the height of the Cold War, epoch-making forces
were at work. We did not know it at the time, but the fall of communism was less
than a decade away. Nor did we foresee the explosion and global spread of
information technologies. The networks that became the internet were up and
running the year I was here. We had no idea they would change history.
Deputy Defense Secretary William J.
Lynn III announces the Defense Department's
Strategy for Operating in Cyberspace at National Defense University at Fort Lesley J. McNair in Washington, D.C.,
July 14, 2011. It is the department's first unified strategy for operating in
For all the capability information technology enables in our
military and beyond, it also introduces new vulnerabilities. In 2008, a foreign
intelligence agency penetrated our classified computer systems. Today, the cyber
threat poses dangers to our security that far exceed what happened three years
My purpose today is to outline a strategy for confronting
these threats – the Department’s first ever Strategy for Operating in
The cyber environment we face is dynamic. As such, our
strategy must be dynamic as well. So while today is an important milestone, it
is only one part of the Department’s efforts to learn and adjust through time.
Addressing hostile cyber activities against our nation will
necessarily involve many parts of our government. White House Cyber Security
Coordinator Howard Schmidt is here today, as are friends and colleagues at other
departments and agencies. From DoD, I want to particularly thank Principal
Deputy Undersecretary for Policy Jim Miller, cyber policy lead Bob Butler, DoD
CIO Teri Takai, Cybercom Commander General Keith Alexander, and General James
Cartwright, Vice Chairman of the Joint Chiefs of Staff. Keeping cyberspace
secure will also require the perspectives and capabilities of those with whom we
share this space—especially private and commercial users.
Many of these users have already been affected by criminal
activity. And while identifying criminal activity in cyberspace is of concern,
this is not the Defense Department’s primary concern. Rather, our concern is
specific to activities that threaten our mission to protect the security of the
Nation. We do not know the exact way in which cyber will figure in the execution
of this mission, or the precise scenarios that will arise. But the centrality of
information technology to our military operations and our society virtually
guarantees that future adversaries will target our dependence on it. Our
assessment is that cyber attacks will be a significant component of any future
conflict, whether it involves major nations, rogue states, or terrorist groups.
Tools capable of disrupting or destroying critical networks,
causing physical damage, or altering the performance of key systems, exist today.
The advent of these tools mark a strategic shift in the cyber threat—a threat
that continues to evolve. As a result of this threat, keystrokes originating in
one country can impact the other side of the globe in the blink of an eye. In
the 21st Century, bits and bytes can be as threatening as bullets and bombs.
But disruptive and destructive attacks are only one end of a
continuum of malicious activity in cyberspace that includes espionage,
intellectual property theft, and fraud. Although in the future we are likely to
see destructive or disruptive cyber attacks that could have an impact analogous
to physical hostilities, the vast majority of malicious cyber activity today
does not cross this threshold.
In looking at the current landscape of malicious activity,
the most prevalent cyber threat to date has been exploitation—the theft of
information and intellectual property from government and commercial networks.
This kind of cyber exploitation does not have the sudden payoff of a bank heist
or the dramatic impact of a conventional military attack. But by blunting our
edge in military technology, and enabling foreign competitors to copy the fruits
of our commercial innovation, it has a deeply corrosive effect over the
long-term. It is hard to know how much damage this digital thievery does to our
economic competitiveness and national security, but a recent estimate pegged
cumulative economic losses at over a trillion dollars.
Today, sophisticated cyber capabilities reside almost
exclusively in nation-states. Here, U.S. military power offers a strong
deterrent against overtly destructive attacks. Although attribution in
cyberspace can be difficult, the risk of discovery and response for a major
nation is still too great to risk launching destructive attacks against the
United States. We must nevertheless guard against the possibility that
circumstances could change, and we will have to defend against a sophisticated
adversary who is not deterred from launching a cyber attack.
Terrorist groups and rogue states must be considered
separately. They have few or no assets to hold at risk and a greater willingness
to provoke. They are thus harder to deter. If a terrorist group gains disruptive
or destructive cyber tools, we have to assume they will strike with little
hesitation. And it is clear that terrorist groups, as well as rogue states, are
intent on acquiring, refining, and expanding their cyber capabilities.
So we stand at an important juncture in the development of
the cyber threat. More destructive tools are being developed, but have not yet
been widely used. And the most malicious actors have not yet obtained the most
harmful capabilities. But this situation will not hold forever. There will
eventually be a marriage of capability and intent, where those who mean us harm
will gain the ability to launch damaging cyber attacks. We need to develop
stronger defenses before this occurs. We have a window of opportunity—of
uncertain length—in which to protect our networks against more perilous threats.
To prepare our military for emerging cyber threats, we have
developed a DoD Cyber Strategy. This strategy holds that our posture in
cyberspace must mirror the posture we assume to provide security for our nation
overall. Namely, our first goal is to prevent war. We do this in part by
preparing for it. And we do so while acknowledging and protecting the basic
freedoms of our citizens.
The steps we have taken to respond to the cyber threat has
prompted discussion in recent weeks about “cyber-war” and its implications. As
we release the DoD Cyber Strategy, it is important to address this topic head
Commentators have asked whether and how the U.S. would
respond militarily to attacks on our networks. And this speculation has prompted
concerns that cyberspace is at risk of being militarized—that a domain
overwhelmingly used by civilians and for peaceful purposes could be
fundamentally altered by the military’s efforts to defend it. The concern here,
as in other areas of our security, is that the measures put in place to prevent
hostile actions will negate the very benefits of cyberspace we seek to protect.
We have designed our DoD Cyber Strategy to address this
It should come as no surprise that the United States is
prepared to defend itself. It would be irresponsible, and a failure of the
Defense Department’s mission, to leave the nation vulnerable to a known threat.
Just as our military organizes to defend against hostile acts from land, air,
and sea, we must also be prepared to respond to hostile acts in cyberspace.
Accordingly, the United States reserves the right, under the laws of armed
conflict, to respond to serious cyber attacks with a proportional and justified
military response at the time and place of our choosing.
Our ability to identify and respond to a serious cyber attack
is however only part of our strategy. Our strategy’s overriding emphasis is on
denying the benefit of an attack. Rather than rely on the threat of retaliation
alone to deter attacks in cyberspace, we aim to change our adversaries’
incentives in a more fundamental way. If an attack will not have its intended
effect, those who wish us harm will have less reason to target us through
cyberspace in the first place.
The logic behind denying the benefit of an attack rather than
relying exclusively on the threat of retaliation flows from the nature of
cyberspace itself. The internet was designed to be open, transparent, and
interoperable. Security and identity management were secondary objectives in
system design. This lower emphasis on security in the internet’s initial design
not only gives attackers a built-in advantage. It can also make intrusions
difficult to attribute, especially in real time. This structural property of the
current architecture of cyberspace means that we cannot rely on the threat of
retaliation alone to deter potential attackers. Some adversaries might gamble
that they could attack us and escape detection.
An important element of our strategy is therefore focused on
denying or at least minimizing the benefit of an attack. If we can minimize the
impact of attacks on our operations, and attribute them quickly and definitively,
we may be able to change the decision calculus of an attacker. Enhancing our
defenses also increases the resources needed to mount a successful attack,
thereby making cyber attacks even less attractive to our adversaries.
This emphasis on cyber defenses illustrates how we are both
mindful of those who would do us harm using cyber means, but also committed to
protecting the peaceful use of cyberspace. Far from “militarizing” cyberspace,
our strategy of securing networks to deny the benefit of an attack will help
dissuade military actors from using cyberspace for hostile purposes. Indeed,
establishing robust cyber defenses no more militarizes cyberspace than having a
navy militarizes the ocean. This commitment to peace through preventive defense
is at the heart of our DoD Cyber Strategy and the Administration’s overall
approach to cyberspace.
With this understanding, let me turn to the five primary
pillars of our strategy.
First, as a doctrinal matter, the Defense Department is
treating cyberspace as an operational domain, like land, air, sea, and space.
Treating cyberspace as a domain means that the military needs to operate and
defend its networks, and to organize, train, and equip our forces to perform
Second, we are introducing new operating concepts on our
networks, including active cyber defenses. These active defenses use sensors,
software, and signatures to detect and stop malicious code before it affects our
operations—thereby denying the benefit of an attack.
The third and fourth pillars of our strategy recognize the
interconnectedness of cyberspace and the diversity of uses to which it is put,
by individuals, in our economies, and across nations. Because cyberspace is
composed of many interwoven networks that perform many different functions,
ensuring its peaceful use will require efforts on many fronts. The men and women
of the military, other government agencies, our allies, the private sector, and
indeed, the citizens of cyberspace must all play a role.
The third pillar specifically recognizes that a number of
non-military networks support important military functions. This is especially
true when it comes to the power grid, transportation system, and financial
sector. So to protect our military capability, we must work with the Department
of Homeland Security and the private sector to protect the nation’s critical
Our fourth pillar carries this logic of interconnectedness to
our allies and international partners. Our goal with them is to build collective
cyber defenses. Collective cyber defenses will help expand our awareness of
malicious activity and speed our ability to defend against ongoing attacks.
Fifth, our strategy aims to fundamentally shift the
technological landscape of cyber security. Simply put, we want to enhance
network security to reduce the advantages the attacker presently enjoys relative
to the defender on the internet. Leveraging the nation’s technological and human
resources to increase the security of network technology is not only in our best
interest. A more secure and resilient internet is in everyone’s interest.
Over the past year, we have made progress in each of these
To centralize the operation and defense of our networks, we
stood up U.S. Cyber Command and made it fully operational. We have established
supporting activities in each of the military services. And we are now training
our forces to thwart attacks that compromise our operations. Although no network
will ever be perfectly secure, our military networks today are better defended,
and our cyber hygiene more effective, than before.
On the international front, we have partnered with Australia,
Canada, the United Kingdom, and our NATO allies. And under the President’s
International Strategy, we will seek greater cooperation with more nations in
the coming months.
We have also committed half a billion dollars in R&D funds to
accelerate research on advanced defensive technologies. Our research agenda
includes novel approaches to improving network security and defense. We imagine
a time when computers innately and automatically adapt to new threats. We hope
for a world when we can not only transmit information in encrypted form, but
also keep data encrypted as we perform regular computer operations. Having data
encrypted 100% of the time would be a revolution in computer security, greatly
enhancing our ability to operate in un-trusted environments.
Lastly, we have made substantial progress in working with
private industry and the rest of government to make our critical infrastructure
more secure. I would like to spend the final part of my remarks discussing this
crucial area and its importance to national security.
To date, malicious cyber activity has been directed at nearly
every sector of our infrastructure and economy. The I.M.F., Citibank, Sony’s
PlayStation Network, the secure token provider RSA, Google, NASDAQ, and multiple
energy firms have been targeted. Cyber intruders have been so effective that
even companies employing sophisticated commercial defenses have also fallen
victim. In fact, our venue here today, the National Defense University, has been
struck. The NDU website and its associated server were recently compromised by
an intrusion that turned over system control to an unknown intruder.
The country’s critical infrastructure has also been probed.
Because much of this critical infrastructure supports military operations, its
failure could compromise our abilities to protect the nation. Our military bases
and installations are part of—and not separate from—the critical infrastructure
on which all Americans depend. Ninety-nine percent of the electricity the U.S.
military uses comes from civilian sources. Ninety percent of U.S. military voice
and internet communications travel over the same private networks that service
homes and offices. We also rely on the transportation system to move military
personnel and freight, on commercial refineries to provide fuel, and on the
financial industry to process our payments.
Significant disruptions to any one of these sectors could
impact defense operations. A cyber attack against more than one could be
devastating. The integrity of the networks that undergird critical
infrastructure must therefore be considered as we assess our ability to carry
out national security missions.
In the United States, the Department of Homeland Security has
responsibility for protecting critical infrastructure. In the past year, we have
signed a memorandum of agreement with DHS to seamlessly coordinate our cyber
security efforts. Wehave established a joint planning capability and exchange of
personnel in our cyber operations centers. And we are helping Homeland Security
deploy advanced defensive technologies on our government networks.
The critical infrastructure the military depends upon also
extends to the private companies that build the equipment and technology we use.
Their networks hold valuable information about our weapons systems and their
capabilities. The theft of design data and engineering information from within
these networks undermines the technological edge we hold over potential
It is a significant concern that over the past decade,
terabytes of data have been extracted by foreign intruders from corporate
networks of defense companies. In a single intrusion this March, 24,000 files
When looking across the intrusions of the last few years,
some of the stolen data is mundane, like the specifications for small parts of
tanks, airplanes, and submarines. But a great deal of it concerns our most
sensitive systems, including aircraft avionics, surveillance technologies,
satellite communications systems, and network security protocols. The cyber
exploitation being perpetrated against the defense industry cuts across a wide
swath of crucial military hardware, extending from missile tracking systems and
satellite navigation devices to UAVs and the Joint Strike Fighter.
Current countermeasures have not stopped this outflow of
sensitive information. We need to do more to guard our digital storehouses of
Toward that end, the Department of Defense, in partnership
with DHS, has established a pilot program with a handful of defense companies.
This program provides these companies with more robust protection for their
networks. In this Defense Industrial Base—or DIB—Cyber Pilot, classified threat
intelligence is shared with defense contractors or their commercial internet
service providers along with the know-how to employ it in network defense. By
furnishing this threat intelligence, we are able to help strengthen these
companies’ existing cyber defenses.
In this way, the DIB Cyber Pilot builds off existing
capabilities that are widely deployed through the commercial sector. By
leveraging infrastructure that already exists, the pilot suggests we can provide
substantial additional protections across our critical infrastructure for only a
fractional increase in cost.
In the DIB Cyber Pilot, the U.S. government is not
monitoring, intercepting, or storing any private sector communications. Rather,
threat intelligence provided by the government is helping the companies
themselves, or the internet service providers working on their behalf, to
identify and stop malicious activity within their networks. The pilot is also
voluntary for all participants.
Although we are only beginning to evaluate the effectiveness
of the pilot, it has already stopped intrusions for some participating industry
partners. And through the information sharing the pilot promotes, we not only
halted intrusions. We also learned more about the diversity of techniques used
to perpetrate them.
The DIB Cyber Pilot breaks new ground in recognizing the
interconnectedness of cyber and the important role of stakeholders in thwarting
attacks. We have much to do to protect our critical infrastructure from
sophisticated intrusions and attacks. But by establishing a lawful and effective
framework for the government to help operators of critical infrastructure defend
their networks, we hope the DIB Cyber Pilot can measurably enhance the security
of our nation’s critical infrastructure.
We are a long way from the world I knew while a fellow at NDU.
Superpower competition has faded, yielding a strategic environment that is
unlike anything we could have imagined. Whereas the Berlin Wall once divided us,
now we are more interconnected than ever.
Our responsibility is to acknowledge this new environment and
adapt our security instruments to it. That is the purpose of the DoD Cyber
Strategy. We must prepare. We must recognize the interconnectedness of cyber.
And we must be mindful of the many ways cyberspace is used–as a peaceful
instrument of global communications, as a tool for economic growth–and, also, as
an instrument to threaten and sometimes cause harm. Given this broad landscape
of activity in cyberspace, we must both protect its peaceful, shared uses as
well as prepare for hostile cyber acts that threaten our national security. The
strategy we are announcing today helps establish that balance. It provides a
framework for us to promote our nation’s values in this vital civilian space
while carrying out our duty to protect the nation.