Government and industry must work more closely together to counter the growing threat to the nation’s cyber networks, Deputy Defense Secretary William J. Lynn III told information technology professionals here today.
The Defense Department and other federal departments and agencies need to pursue or expand avenues in information sharing, strengthening network architecture, and extending government’s network defenses to private networks key to national security and the economy, he said during a keynote speech at the annual RSA Conference for Internet security.
Lynn told thousands gathered for the conference that the private sector’s role in defending the cyber domain is critical. Unlike the sea, air, land and space domains, cyber is not an area where military power alone can dominate, he said.
“The overwhelming percentage of our nation’s critical [information] infrastructure, including the Internet itself, is in private hands,” Lynn noted. It will take the country’s “vast technological and human resources to ensure the United States retains its preeminent capabilities in cyberspace, as it does in all the other domains,” he said.
Telecommunications providers have “unparalleled visibility” into global networks and often possess the best operational capacity to respond to system assaults, Lynn said. “They can detect attacks transiting their systems, and in many cases, alert customers,” he added.
Information-sharing efforts are well underway, with industry and government executives meeting regularly as part of a partnership known as the Enduring Security Framework, Lynn said. The framework “not only helps identify vulnerabilities, it also mobilizes government and industry expertise to address security risks before harm is done,” he said.
More work is needed, the deputy secretary said, because network attackers have an inherent advantage. Because the Internet was designed to be open and interoperable, security and identity management were secondary in its design.
“You can see just how significant this advantage is by comparing anti-virus software to the malware it’s designed to defeat,” Lynn said. “Sophisticated anti-virus suites now run on about 10 million lines of code … up from one million lines in only a decade. Yet malware written with as little as 125 lines of code has remained able to penetrate anti-virus software across this same period.”
Government agencies need the scientific community to help strengthen network architecture, he said.
“We must embed higher levels of security and authentication in hardware, operating systems, and network protocols,” Lynn said. The National Strategy for Trusted Identities in Cyberspace, a White House initiative, “will lay one building block of this more secure future,” he said.
“It will take the course of a generation to have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today’s technology,” he said.
To spur security improvements, the Defense Department is adding $500 million for new research in cyber technologies, with a focus on areas like cloud computing, virtualization, and encrypted processing, Lynn said. The department also is providing seed capital to companies through its “Cyber Accelerator” pilot program to produce dual-use technologies that address cyber security needs, he said.
The department must speed its adoption of these new technologies, Lynn said.
“It currently takes the Pentagon 81 months to field a new information technology system. The iPhone was developed in just 24 months,” he said. “We have to close this gap, and Silicon Valley can help us.”
The Pentagon will expand its Information Technology Exchange Program, which manages temporary “job-swaps” between the department and industry IT experts, he announced.
“We want senior IT managers in the department to incorporate more commercial practices,” he said. “And we want seasoned industry professionals to experience, first-hand, the unique challenges we face at DOD.”
Lynn also announced that DOD is beginning a program to maximize its use of cyber expertise within the National Guard and Reserve.
Many reservists have a high level of IT knowledge they use in their civilian jobs, Lynn said. To make better use of those skills, he added, DOD will increase the number of Guard and Reserve units dedicated to cyber missions.
At the same time, the department is working to extend its expertise to industry.
“Because of our intelligence capabilities, government has a deep and unique awareness of certain cyber threats,” he said. “Through classified threat-based information, and the technology we have developed to employ it in network defense, we can significantly increase the effectiveness of cyber security practices that industry is already carrying out.”
The department already shares some unclassified threat information with defense companies that have networks containing sensitive information, Lynn said. He added that a pressing policy question remains as to whether classified signatures and their supporting technology should be shared across the full range of industrial sectors supporting the military and the economy.
“The real challenge, at this point, is developing the legal and policy framework to do so,” he said.
Securing the nation’s networks will require unprecedented industry and government cooperation, Lynn said.
“With the threats we face, working together is not only a national imperative,” he said. “It is also one of the great technical challenges of our time.”
