Click here to download the audio.

NICHOLAS THOMPSON: Today's speaker is William Lynn. He is deputy secretary of defense. He's also the author of a piece in the current issue of Foreign Affairs, "Defending a New Domain: The Pentagon's New Cyberstrategy."

So welcome to the podium Secretary Lynn.

DEPUTY SECRETARY OF DEFENSE WILLIAM J. LYNN III: Thanks. Thanks very much, Nicholas. I appreciate the opportunity to come to the Council. I was just testifying before Congress, and there's a timer right here. It's great. It's just like Congress. Well, hopefully -- actually, hopefully not.

But it's a pleasure to be here in New York. It was terrific working with Richard and the team at Foreign Affairs on the article, and I appreciate the opportunity to talk a bit about the article on cybersecurity with you all.

It's a little it bit odd for somebody my age to be talking about cyber, because I'm kind of in between. On one hand, I'm old enough to be somewhat fluent in cyber, and of course, you know, I have a BlackBerry and a cell phone. I even have an iPad.

On the other hand, I don't know how any of these things work, and I pretty much left off the technical side when I couldn’t learn to program my VCR. So the technical side of this is not going to be my strength.

But I want to talk a bit about the attributes of the threats I think that we face, the vectors that those threats could come down, and then about the strategy that we're developing at the Pentagon to deal with at least the military side of that threat.

And in the article -- and I'll start here, too -- I started with an incident which was a seminal moment for cybersecurity in the Pentagon. It was an intrusion in 2008 into our networks, and that intrusion extended to our classified networks. And we did not think our classified networks could be penetrated to that point. So it was -- it was a fairly shocking development. It happened with a thumb drive transferring data from the unclassified networks to the classified networks, happened in the Middle East.

We spent a lot of time, energy, and money remedying the situation. That operation was called Operation Buckshot Yankee. And it led to a new approach to cybersecurity in the Pentagon, and I want to -- and we've extended on that now with our strategy, and I want to come back to that.

But before I get to what we're doing about it, let me describe how I think you ought to think about the threat. And there are several characteristics that you ought to think about when you're thinking about cybersecurity.

The first is that we use the word "asymmetric" fairly frequently now in warfare, but it is particularly true in cybersecurity. It requires a very low cost for people to develop cyberthreats, malware that can intrude on information technology systems.

On the other hand, defending against those threats requires a substantial investment. And let me just give you one nugget as an example of that. Some of the most sophisticated integrated defense software that is commercially available now have 5–­­10 million lines of code, and they are massive, work-intensive, difficult products to develop. The average malware has stayed constant over the last decade, and it's about 175 lines of code.

So the disproportion there between the offense and the defense is substantial and will, I think, remain so for a while. I want to talk about how we might change that toward the end.

A second characteristic of cyberthreats is the difficulty of attribution. A keystroke can travel around the world twice in about 300 milliseconds. That is as long as it takes you to blink your eye. Yet the forensics of identifying an attacker can take weeks, months, or even years, and that is if you can do it at all. Going back and figuring out where an attack came from is extremely, extremely difficult and by no means a sure thing.

That has some real importance in that it starts to break down the paradigm of deterrence that was the undergirding of nuclear forces in the Cold War. If you don't know who to attribute an attack to, you can't retaliate against that attack, so you can't deter through punishment, you can't deter by retaliating against the attack. This is very different, of course, than, you know, with nuclear missiles, which, of course, come with a return address. You do know who launched the missile.

This is, I think, further complicated by the third attribute I'd talk about in terms of cyberthreats, which is that they are offense-dominant, that the Internet was not developed with security in mind. It was developed with transparency in mind; it was developed with ease of technological innovation; it was developed with openness in terms of the system design. But it was not developed with techniques of security management, like secure identification. Those kinds of techniques were not built into the networks.

And so structurally you will find that the defender is always lagging behind the attacker in terms of developing measures and countermeasures. So adept programmers will always be able to find vulnerabilities. They will always be able to challenge security measures. So as we look toward a strategy, our view is that you cannot adopt a fortress mentality, a Maginot Line of firewalls and intrusion-detection devices. You
need to be far more innovative and active than that. And I'll talk about that in just a second.

But before I get to strategy, let me talk a little bit about where the vectors of the attack might come from. The first and most obvious and most talked about is through the network itself. You can attack over the Internet itself; you can use messages and develop ways into networks. But those are not the only ways. You can also come across the supply chain. And from the Pentagon's perspective, it isn't only about the military networks. The critical infrastructure networks are equally important as well: the power grid, the transportation network, the financial systems are critical to our economy and therefore critical to national security.

So how do we propose to respond to this? At the Department of Defense, we're laying out a strategy, and the strategy has five pillars. The first of the pillars is that we need to and have recognized cyberspace for what it is: a new domain of warfare. Like land, sea, air, and space, we need to treat cyberspace as a domain we will operate in, that we will defend in, and that we will treat in a military doctrinal manner.

Now that means we need training, we need doctrine, we need organizations. It's what led us to create a command for cybersecurity, the Cyber Command, which is a subunified command underneath Strategic Command. It gives us a single chain of command for the individual services to present their forces, and for the Cyber Command to deploy cybersecurity assets as we need them. So that's the first pillar.

The second pillar -- I've referred to it a couple of times -- is that defenses need to be active. They need to include the generally accepted commercial passive lines of defenses, that is, just ordinary hygiene: that you download the patch, that you update your software, that you keep your firewalls up to date. And you also need perimeter defenses, the second line you must find in commercial defenses: you need intrusion-detection devices, you need monitoring software. You need all of those things.

And those things will probably be effective at this point -- and will probably help you with about 80 percent of the attacks that you could see today. The last 20 percent -- and it's a very rough estimate -- but the most sophisticated attacks ultimately will not be deterred or stopped by essentially a patch-and-pray approach.

What you need is a far more active set of defenses. You need things that work by identifying signatures in advance and screening out malicious code at the boundary of the network. And you can't assume, though, that you're going to get everything. You need software that's going to be able to hunt on your own networks and find malware. When you find them, you need to be able to block them from communicating outside. So, in other words, this is much more like maneuver warfare than the Maginot Line.

The third pillar of the department's cyberdefense strategy is that we need to participate in the extension of protections to our critical infrastructure. What I mean by critical infrastructure is not individual users in their homes. I'm talking about the power grid, I’m talking about the transportation networks, the financial networks -- those networks that undergird our whole economy.

For those networks, the governmental responsibility is with the Department of Homeland Security, and that's where it should be. But there are capabilities in the Department of Defense that the Department of Homeland Security can access from the defense side of the equation, so that we can make sure that our critical infrastructure is indeed protected. So that's, I think, a third pillar in the strategy.

The fourth pillar is that cyberdefense is a shared activity. It is the same approach that we ought to take, that there is a strong logic for, as there was when we formed our alliances during the Cold War, NATO, and the Asian alliances. And there are technical reasons for this. The more attack signatures that you're able to identify in advance, the stronger your defenses will be. So getting together with allies, identifying attack signatures, exchanging those signatures, exchanging technology -- essentially using a Cold War concept but updated to shared warning -- is something that we need to pursue in the cyberdefense arena. And we have been doing this with our closest allies -- the United Kingdom, Australia, Canada. We're now looking to NATO. I think at the Lisbon summit you'll see a strong NATO statement on the importance of cyberdefense, and I see that as an expansion of this collective defense concept.

The fifth and final pillar is that we need to continue to leverage the U.S. technological base so that we retain the technological edge that we have right now in the cyber arena. I think it's a fragile advantage that we have, but it is indeed an advantage. We need to marshal our resources to ensure that we have the technological resources that we're going to continue to need to be able to defend our information technology assets from wherever an attack might come.

I also think we need to use that technological innovation to try and change the terms of the equation that I described, where the attacker has such an advantage. I think over time we can develop techniques in the Internet that will out-offense and -defense attackers to a greater degree than we see now. And we're asking Defense Advanced Research Projects Agency and some other organizations inside the Department of Defense to take a look at ideas that might push us along that line. We're talking to industry about how we might do that. And I think over the long haul -- and by “long haul,” I mean 10–20 years -- this is not going to be a snapshot solution. But I think over the long haul, we might be able to change the terms of the attack-defense equation.

Let me just wind up and say, in just a few years information technology has transitioned from just a support function at the Department of Defense to a strategic element of power in its own right. Indeed, the front lines of national security have been redefined. Any major future conflicts will almost certainly involve elements of cyberwarfare. And the threat posed by cyber extends far beyond military operations. It extends, as I indicated, to the very heart of our economy.

As I explained, our networks were compromised two years ago. We think we've taken steps over those two years to make them substantially safer than they were then, but our lead in this area is fragile. We need to stay ahead of the threat. We need to develop the organization, the doctrine, the training, the resources, to maintain our military networks, and work through Homeland Security to defend both our government networks and our critical infrastructure. With that, I'm happy to take your questions. 

THOMPSON: Thank you very much, Secretary Lynn. That was both interesting and encouraging. Many people have been saying that the U.S. government needs to take a stronger stance in this area for a long time, and you clearly are leading that effort, so thank you.

The first question I want to ask you is one of the big debates in this area, which is civilian versus military control of all these matters. If there's an attack on us, it will presumably come from someone who's maybe using e-mail. It may be directed at a specific type of U.S. hardware. For example, we've all been reading this week about the Stuxnet attack, which is a virus that was specifically targeted at Siemens hardware, possibly in Iran, possibly elsewhere, but it's through a private company.

There will be layers and layers of private companies that will be involved in any attack. Many of these companies don't trust the government or have limited trust of the government. And even if they do, they probably trust the civilian side more than the military side. How do you navigate this very complicated issue of where civilian control begins and ends, and where military control begins and ends?

LYNN: That's a good question, Nicholas. I mean, as I indicated in the talk, I think we've set up a structure in the U.S. government where the responsibility for protecting the civilian infrastructure as well as the government works with Homeland Security. And I think that's appropriate, and I think that reassures people along the lines that you were raising the question.

I think, though, that Homeland Security requires a collaboration with the Department of Defense, because much of the government's capabilities in terms of cybersecurity and cyberdefense reside with the Department of Defense, of which the National Security Agency is certainly the center of excellence for our department in this.

We need to develop ways in which Homeland Security can access the capabilities of National Security Agency and the Department of Defense and use them with appropriate authorities in protecting civilian infrastructure and government infrastructure. I think the analogy probably is to what you call defense support for civilian activities, and by that I mean things like disaster relief.

When a hurricane hits the East Coast, the Department of Defense has enormous assets -- helicopters, transportation, logistics -- that can be provided to help. But it's FEMA that's in charge. And FEMA calls on those Department of Defense assets, but FEMA is the organization in charge. And this is, I think, a similar kind of a situation.

THOMPSON: Are there red lines you specifically try not to cross -- for example, “We will never ask a private company for information on U.S. citizens,” or something like that?

LYNN: Well, I mean, we're not in the business of asking for U.S. citizen information.

THOMPSON: But if there were attacks through -- let's say you were tracing an attack and you found a signature, you found lines of code. And then you found that those lines of code had been discussed on a message board from a company that was hosted in the United States. Would you feel that the Department of Defense could say, "Hey, we need all your user logs for this particular time or for these particular users"?

LYNN: I mean, if that happens, there's basically a law-enforcement procedure and warrants. And it isn't a Department of Defense issue. If it goes into law enforcement, it would actually be an FBI question. If the National Security Agency found something like that, they would hand it to the FBI; the FBI would pursue it.

THOMPSON: All right, let's talk about another issue. I know that one subject that you can't really talk about is offense, and so I want to stay away from that. But I want to talk about deterrence. You mentioned that you would like to deter attacks. And one way you could deter attacks is make it clear that if you do attack us, there will be consequences. Ideally, one thing you can do is get better at tracking down where attacks come from.

LYNN: Yeah.

THOMPSON: I assume that's a major part of what you're doing.

But another thing you could do is you could make it clear that if you catch somebody attacking, there will be consequences to that person or to that system; or if there's a major attack, there will be some form of technological retaliation. Is that something that is U.S. policy or something you're considering?

LYNN: I mean, where you're going is what is the declaratory policy.

THOMPSON: What is the declaratory policy?

LYNN: That is something that is under active discussion as to what it ought to be, what it ought to include. But it's an extraordinarily difficult challenge. As we were saying in the other room, the policy challenges here are tough.

And in this case, it's difficult to define exactly what an attack is. You can go to one extreme. Clearly, if you take down significant portions of our economy, we would probably consider that an attack. But an intrusion stealing data, on the other hand, probably isn't an attack. And there are an enormous number of steps in between those two.

And so one of the challenges in getting a coherent declaratory policy is deciding at what threshold you start to consider something an attack. You know, what threshold is it more like espionage or theft. And I think the policy community both inside and outside the government is wrestling with that, and I don't think we've wrestled it to the ground yet.

THOMPSON: So at some point in the current administration do you think there will be a declaratory policy on cyberdeterrence of this sort?

LYNN: It's an issue that's being worked on. I can't give you a schedule for a result.

THOMPSON: (Laughs.) And you -- presumably you can't tell me the actual policy and not the declaratory policy.

LYNN: Right.

THOMPSON: (Chuckles.) We'll go no further.

I want to ask you about the cyberconflicts we've seen in Estonia, where presumably Russian hackers shut down the banking system.

LYNN: Right.

THOMPSON: We've seen in Georgia similar things happening.

Tell me what you think -- not 20 years out, but five or ten years down the road -- what are we going to see of these conflicts? How is this going to grow? Clearly, technology is improving. Clearly hackers are getting better. How big a part of future conflicts will cyberwar be, and in what way?

LYNN: I mean, I think it's going to be integral to future conflicts. I think sophisticated, and maybe even relatively unsophisticated, participants in a conflict are going to use cyber. If you figure the Internet is 20, 20-plus years old, and you use the analogy of aviation when the first military aircraft was bought, I think, in 1908, we're in about 1928. You know, so we've kind of seen some kind of biplanes shoot at each other over France.


LYNN: But we haven't really seen kind of what a true cyberconflict is going to look like. And I think it's going to be more sophisticated, it's going to be more damaging, it's going to be more threatening. And it's one of the reasons we're trying to get our arms around the strategy in front of this, rather than respond to the event.

THOMPSON: So what does 1941 look like?

LYNN: It's very hard to say. I mean our ability to predict future conflict even in the conventional arena is pretty limited. I think if you go back the last 30 or so years, and you stood six months back from any conflict, you wouldn't have predicted it, with the exception of the Iraq war -- it's the only one that I think you probably saw coming. The first Gulf War, Bosnia, Panama -- six months out, you wouldn't see any of those coming.

So it's very hard to predict them. You're kind of going to the characteristics. We are very dependent on information technology for much of our military capability, so I think you can see challenges to our ability to do precision targeting, to communicate. I think you can see challenges to our logistics systems, to our transportation systems. And -- as I indicated -- I think there could be threats to the economy.

THOMPSON: I mean, there are people who for the last decade have raised the specter of, “They'll control our unmanned areal vehicles and turn them around, and then they'll shoot against us, or they'll blow up the power grid.” And up until two weeks ago, I would have said, “That's insane, no one can do that.” There is lots of cyberespionage, there is lots of denial-of-service attacks. But now with Stuxnet, it seems we're moving considerably closer to that. Do you think we're five years, ten years away from the first conflict where someone really does shut down a power grid? Or do you think that's -- who knows?

LYNN: It's more who knows. But it's hard to say. I mean, I think the capabilities are being developed. As a Defense Department official, I think we need to respond to those capabilities. We don't really see the intent out there among, you know, other nations to do that to the United States.

Now terrorist organizations would be a different -- so I think you have to worry that either nations with sophisticated capabilities would get the intent for some reason, or that terrorist groups who already have the intent will gain the capabilities. Either way, we need to be prepared to defend against sophisticated cyberattacks.

THOMPSON: Which of those two keeps you up more at night? Is it the terrorist groups that don't have the technologies right now or the sophisticated groups who don't have the intent?

LYNN: I think the terrorist groups.

THOMPSON: With developed technology, one more question that I think is important and is related to the previous one is that a lot of people who are really raising this specter also have skin in the game. They say that we're approaching cyberwar and also serve as consultants to cyber companies that are selling defensive systems. And people are starting to call it the cyber-industrial complex. How influential do you think this is over the debate? Do you think it's problematic?

LYNN: I missed the --

THOMPSON: I said there are a lot of people making a lot of money off of selling cyberdefensive systems to the Pentagon. And these are often the same people who are saying, "They're going to knock our planes out of the sky! They're going to blow things up!" Many people don't know that they also serve as consultants, that they're getting all these contracts. Do you think that the debate in this country is being shifted in a way that's unhealthy, or do you think this is all just fine?

LYNN: I mean, I think you always have to worry about conflicts of interest and self-dealing. But I think the cyberthreat is real, and we need to develop capabilities to defend against it. And that's certainly going to involve industry. So we need to put the appropriate protections in for conflicts, but I don't think the whole thing is made up, if that's where you're --

THOMPSON: Well, that's not the question that I asked, but I think your answer is very clear and very helpful.

All right. We are going to now move to questions from the members.

So starting right here.

QUESTIONER: I'm Dick Garwin, IBM fellow emeritus.

In your very good article in Foreign Affairs, you indicate that we're probably ahead in offensive cyberwarfare, we're probably ahead in defensive cyberwarfare -- that is, better than other people at defending. But you imply that we may be behind in the defense against the offense, and that you hope that in ten or 20 years we can reverse that. But in the meantime, in my opinion, we had better be able to compartmentalize certain groups of networks, so that we can maintain the security and the operability of those networks in the face of attacks that would bring down lesser-protected networks.

And I know this is going on, but it's something that people should realize. The fact that there are successful attacks all the time doesn't mean that everything is vulnerable at the same time. Some things can be protected, and we have to keep that in mind.

LYNN: Well, I think that's right. I mean, I don't want to overstate the threat. There are capabilities out there that are very disturbing. But I think you're right, nobody can take everything down at once. And on the military side of the equation, we have in the two years since the Operation Buckshot Yankee -- we're by no means perfect -- but we're far more robust and redundant than we were two years ago.

Part of what I'm saying is I think that we can work along the same lines, through Homeland Security, to strengthen the protections in the rest of the government and strengthen the protections in areas of the economy that are critical to the operation of the economy and thereby critical to national security. That's the line that I'm going on, but it's not "the sky is falling," by any means.

QUESTIONER: Hello. My name is Timothy Reuter, and I'm affiliated with a company called TigerTrade.

In your earlier remarks, you talked about tighter integration with our allies, such as the United Kingdom, Canada, and Australia. What do you think is the value of negotiations and treaties with our competitors, such as China and Russia, where many people believe most of these attacks are coming from?

LYNN: It's a very good question. I think international negotiations are something that we need to explore, to see if you can establish norms that are going to make the world safer for essentially everyone.

I think I indicated in the article, at least in an aside, that we need to be careful about the model we use for those negotiations and that traditional arms-control negotiations, with verification and strict limits, is probably the wrong model; that a law-enforcement model is better, and we already have some successes in the law-enforcement area, particularly in the Council of Europe.

I also think that a public health model has some interesting applications. Can we use the kinds of techniques we use to prevent diseases, the kind of prophylactic techniques that get international acceptance? Could those be applied to the Internet? And I think it's worth talking not just to our closest allies but to everyone about how to do that, and I think that that's something we need to think very hard about.

QUESTIONER: My name is Alex Zedgrov. I'm the chair of Alec Group. My question to you goes to your definition of the attack. Like you said, it's not easy to define what constitutes an attack. And my question to you is how you deal with attacks that come from transnational organizations, terrorist networks. And in those cases, how do you identify the responsible party? If an attack was launched from a particular territory of a state -- it can be an ally or otherwise -- how do you hold responsible that same state? What steps are you going to take to protect ourselves? How do you distinguish between a state-launched attack, let's say from Russia or China, or a terrorist network? And how do you hold the state that is possibly harboring those organizations responsible?

LYNN: Well, I mean, that's what drove me in a couple ways. Difficulty of attribution is inherent, I think, in the Internet, and in some cases, you can never get to a place that you feel confident. In others, it will just take you too long. And it's one of the reasons that I pushed on that second pillar, is that you need to look at active defenses, because you may not be able to deter that kind of attack. You simply have to deny the benefit. So you may not be able to deter it with a retaliatory response, but if you deny the benefit of the attack, then you may be able to deter it that way. If they don't get anything from it, they'll lose interest in the attack. So we need defenses that are far more robust than just conventional software patches and intrusion detection and firewalls. You need a set of defenses that you have more confidence will get a higher percentage of the attacks.

THOMPSON: To what degree did we figure out who was responsible for the 2008 Operation Buckshot Yankee attack that you mentioned at the beginning of your remarks and the beginning of the article?

LYNN: We did narrow it down, and I think we did identify that it was a foreign intelligence organization, and that's about all I'm going to say.

THOMPSON: I won't ask you which one, but do you know which one?

LYNN: We did figure it out, yes.

THOMPSON: And did -- thank you. (Laughter.) I'm not going to get any further. Why ask?

Very back, please.

QUESTIONER: (Name off mike), Greenberg Traurig. How do you begin enlisting the 19- and 20-year-olds who are born with cyber genes to resolve or solve the problems that your generation and certainly mine know so little about?

LYNN: Well, I kind of gave a warning about my technical expertise at the beginning. We're having, I think, quite good success at the National Security Agency, at DARPA, in hiring those 19- and 20-year-olds cybergeniuses. And I think they find the challenge exciting. I think the government is, in this area, in an exciting technological place, and it's certainly worthwhile to be part of defending your country. So we are actually having quite good success in recruiting those kinds of individuals.

QUESTIONER: Ian Murray, Lanexa Global Management. I have a question that might not apply to you, might be more on the criminal side. But the wonderful thing about the Internet, of course, is that it is a network of networks without any central regulation. And so people who use it and people in technology get really nervous when governments start talking about regulating it to track down either criminals or terrorists. And so do you think there's a way the government is going to be able to do this effectively to get the outcome they want without ruining what makes the Internet such a tremendous asset globally?

LYNN: I do think so. I've talked a lot about active defenses. None of the active defense techniques that I'm talking about impinge on the privacy of -- or the liberties of -- individual users. There's no need to get to that point. What you're talking about is parts of the economy that need to be protected.

And in general, in those kinds of companies, you're talking about proprietary networks that are controlled by companies. And so you have to work out arrangements with companies as to what they want to allow and what they won't. But you're never reaching the individual user. So generally the privacy concerns and the civil-liberty concerns aren't raised with the kind of defense techniques we're talking about.

THOMPSON: Will you define active defense a little more? It means we don't just build a bunch of walls to stop people from getting into our systems, but we also --

LYNN: You need to be able to essentially operate on your own network on the assumption that they will have gotten in, and so you need to be able to hunt on your own network, you need to be able to block communications out from your network to an adversary server. So you need to be able to operate and maneuver inside your own networks to be able to conduct these kinds of activities.

THOMPSON: And does it also mean, related to the past question, to know when someone has gotten inside of a related network, say, a defense contractor's network, and is leading attacks on you, and to use the same mechanisms against that person there?

LYNN: You don't need to protect the military networks; they don't need that. It may be that you want to extend that to defense industry. Then you would have to get inside, then you'd have to get consent from that company, and you have to work through the legal issues there.

QUESTIONER: My name is Stanislav Terzhavsky. I'm an engineer of application security. You mentioned that the Internet by definition is an open and not reliable, not secure network. Are you working on anything fundamentally different, fundamentally secure, fundamentally robust?

LYNN: We've got concepts that would be -- again, we're at the limits of my technical knowledge. There are concepts of trying to develop the Internet so it acted more like a human organism, so that it essentially, when it was hit with a virus, it mutated to respond and fend off that virus. But that's about as far as I can go with that concept. But there are ideas like that that would change somewhat the nature of the Internet and that would shift the advantage much more to the defender and away from the attacker. But I think we're years and years away from seeing anything like that implemented.

THOMPSON: By that do you mean a sub-Internet within the Defense Department where all these things happen that act more like a human? Or do you mean changing the whole nature of the whole Internet?

LYNN: Well, it could be either. You'd obviously have to start someplace and, you know, if it worked, it would propagate.

QUESTIONER: My name is Duncan Card. I chair the technology practice at Bennett Jones law firm in Canada. Three really quick questions. One, can you comment on Cyber Storm III? Two, on the diplomatic side, when you discover or you conclude that a particular government has been engaged in this activity, what are the diplomatic activities that are happening to stop that in the future? Three, what does the United States need to do outside of its borders in foreign jurisdictions to protect itself?

LYNN: Cyber Storm III is an exercise that the U.S. government conducted both interagency and internationally to test out cybersecurity concepts. To your second question -- it's run by Homeland Security. On diplomatic efforts, they would be the same as any other. If we think, you know, somebody has done something that we object to, we use various means, including diplomatic, to object. I don't think cyber is different in that regard.

QUESTIONER: (Off mike.)

LYNN: Well, that was the fourth pillar I was talking about. We do want a collective defense concept. We're exchanging signatures; we're exchanging how we respond to those attack signatures and what kind of technology might be used. So I think it's a collective defense, shared warning kind of world that we want to live in.

QUESTIONER: (Name inaudible) -- Lion's Path Capital. A new fiscal year starts tomorrow. I'm curious, if you look at budget plans over the next couple of years, do you think this is an area that's adequately resourced in Department of Defense plans for all the things you'd like to do?

LYNN: Happy New Year. (Laughter.) I'm an old comptroller, so we have resourced this fully, we think. I think this is an area where ideas are harder to come by than resources. You know, what's the next concept, how do you take it?

And the ideas tend to at least start small, so I think ultimately you might face -- depending on how big it gets -- you might face resource challenges. I don't think we're at that stage of the development yet.

THOMPSON: To clarify, someone in the defense industry in a rapidly moving area with lots of needs has just said we don't need any more money.

LYNN: Yeah. (Chuckles, scattered laughter.)

THOMPSON: Excellent.

QUESTIONER: Hi. Andrew Dodi of Clearing Price.

My question is, Are we positioning ourselves to be the cop on the beat with cyber? For example, Iran reported their nukes were recently hacked, and the primary suspect was Israel. Brazil, not a usual suspect in this, was hacked fairly recently, which I think I found out watching Charlie Rose. So to form a question, Are we stuck with being the cop on the beat to grown-ups in cyberspace?

LYNN: Well, no. I think it is the two lines that came up in earlier questions. I think we do want to work with our allies to develop our defenses. And to the question that was over on the left, I think we ought to look at regimes, public health, law enforcement, where we could establish international norms that might restrict some of the kinds of threats that we would face. So are we going to be the enforcer? No, I don't -- at least, that's not the direction things have taken.

QUESTIONER: Hi. Rafi Kachadorian. I have two questions.

One is, you know, when the Air Force conducts a sortie in Afghanistan and they knock out some critical infrastructure, we often read about it and hear about it as kind of offensive operations. When the Marines do something in Helmand, we'll hear about it shortly after. Well, how is it difficult in the realm of cyberwarfare for you to talk about offensive operations, let's say taking out an al Qaeda Web site or whatever it may be? Why in this realm is it harder to discuss the offensive side?

My second question is about in the context of WikiLeaks. Maybe you could share some thoughts on WikiLeaks. But in the broader sense, in terms of developing our cybersecurity, Defense Advanced Research Projects Agency recently announced that it was accepting submissions or encouraging academics and other security specialists to think about how the problem of overclassification could be managed. And it seems that that would be an interesting way to sort of deal with containing or managing our state secrets, especially some of the tactical information that we have on WikiLeaks.

To what extent, in the review and conversation that you're having, is managing overclassification part of our cybersecurity strategy?

LYNN: I don't think overclassification's so much come up in terms of WikiLeaks. But President Obama came in with a commitment to try and declassify as much as security warranted, and we've tried to move down that path.

In terms of the offensive operations, there's just very little that you can say beyond that we develop the capabilities we think we need to defend against the threats that we see out there, and beyond that, I can't really expand.

QUESTIONER: Harriet Pearson, with IBM Corporation.

To go back to collective defense, what's your perspective on the U.S. strategy or role in trying to maintain some level of consistency in how governments look at procurement as an area for supply chain? You mentioned supply chain earlier, for example. You know, India, for example, has been attempting to look at telecommunications networks and the security or the integrity of products there. Other governments have been trying to look at the same. What's the role of a global approach -- or at least, an allied approach -- to maintain some consistency of approach and in support of economic development there, too?

LYNN: You know, I think that's a good thought, that the collective approach to the supply-chain threat has real merit. I mean, the supply-chain threat -- that is, the equipment that you gain may itself be compromised before you've even begun to operate it.

I don't think an approach of just trying to build everything behind a fence is going to work. We're going to have to have far more sophisticated techniques. I think IBM, Microsoft, some other companies have developed some risk-management techniques, some randomization in terms of where equipment's going, some approaches to testing. There isn't going to be a silver-bullet solution to this. It's far too complex a problem. So you're going to have to find layers of solutions that, hopefully, make it too costly for somebody to pursue that -- it's going to be too random an event when they succeed to be worth the effort. And I think using our allies in that effort makes a lot of sense.

THOMPSON: Similarly, do you ever use, or do you have a declaratory policy of setting up honey pots, for example, within the Defense Department, whereby you put up caches of information that may look like they're relatively easy to get but are actually traps for false information, or things like that?

LYNN: Well, if we did that, I wouldn't tell you. (Laughter.)

THOMPSON: Well, but you might have an incentive to tell me that you do, so that I would try not to get the real stuff. Could be playing a double-game here.

I want to ask one more question about espionage, which is something you were talking about a little bit earlier downstairs. There are real, actual spies. There are, you know, Russians who infiltrate New York City, as we know. And there are also people who hack into our systems and steal our stuff, and we've seen several citizens who've been working with the government of China have been recently sentenced. Have we reached the point where the balance of what we should be worried about has shifted into the cyber area, away from the -- other side?

LYNN: I mean, I think in the cyber area the threat has often become a multiple, so that in the Cold War days, World War II days, somebody would steal a book or a formula; now with cyber, if they get inside, they might steal the whole library. And so it has multiplied that way.

In terms of when you look at export controls, we're trying to control exports of various technologies. Now, we want to reform that, but at the same time, you can see in the cyber area that the designs are being exfiltrated through a cyberintrusion. And so we may be watching the wrong -- the wrong post, as it were.

THOMPSON: Fair enough. Okay.

QUESTIONER: Hi. I'm Adam Segal, from here at the Council.

You mentioned that you didn't think we'd be moving very forward on traditional arms-control agreements. And this is probably not the best time for these kinds of conversations, given our current relationship with China and the way that military-to-military contacts are going, but if we were to have a discussion with China about norms of behavior, what types of things do you think we could actually move forward on, and what types of things would you like to know that the Chinese are thinking about -- thresholds, declarative statements, types of things that they would hold at risk? What do you think we could actually accomplish in the short term?

LYNN: Well, I certainly think, and Secretary [Robert] Gates has been very clear, that we ought to have greater dialogue with the Chinese. And I think cybersecurity would be part of that dialogue. I also think we have been interested in getting both nations inside the law-enforcement regime that started in Europe a few years ago. And I think that that has promise, as well. So I think there are avenues that could be pursued.

QUESTIONER: Hi. Tom Davey, Council on Foreign Relations.

Secretary Lynn, your excellent Foreign Affairs essay doesn't discuss open-source software as a potential component of a defensive cyberdefensive strategy. Advocates of open-source software argue that it's inherently less susceptible to malware like the Stuxnet worm, which is propagated by proprietary software. What is the Department of Defense’s attitude toward open-source software?

LYNN: I wouldn't exclude it as a path. On military systems, open-source software has limits in terms of what we can use it for. We often have particular code that we need and that has to be done in a classified setting, and so that can limit us in some ways.

But I think, you know, your more general point that open-source software, because it mutates more and is updated more often, may be less vulnerable, I think that's something we need to look at in a variety of sectors.

QUESTIONER: Nick Platt, Asia Society.

Mr. Secretary, do you have any advice for ordinary mortals like myself, who are struggling with their BlackBerrys and their iPads and so forth, to protect their sources of information -- bank accounts, etc., etc.? Is there something you think we should be doing, or not doing?

THOMPSON: Ordinary mortals --

LYNN: Well, I'm really way out of my expertise. But I think, you know, reading the literature, just keeping your software and firewalls up to date deals with the great majority of the threats. The most common avenue, I think, for that kind of threat is people who just didn't download the patch and just didn't get around to it. It's not perfect, but it deals with an enormous segment of it.

THOMPSON: Ordinary mortals who happen to be former ambassadors of perhaps the largest rival in cyberspace.

QUESTIONER: (Off mike) Nickels from Reuters.

I just wanted to follow up on the Stuxnet virus. Where do you think it came from? Do you think its intended target was the Iranian nuclear plant? And how much of a concern is it? And also, what country do you think poses the greatest cyberthreat?

LYNN: I don't know where Stuxnet came form. I think it indicates the challenging nature of the threats, that these threats are evolving. That's why I talk about the technological innovation. We have to keep moving, because the threat is going to continually pace forward.

THOMPSON: By saying you don't know where it came from, are you saying that it did not come from the United States?

LYNN: I don't know.

QUESTIONER: Herbert Levin. At one point, you seemed to indicate that the main thing was to have a good defense, because it was awfully hard to track down the perpetrators, the attackers. Then at another point, you referred to perhaps the World Health Organization, or even the IAEA, having international norms. I appreciate that we have a robust defense against nuclear attack, and we are very strong in our support of the IAEA, but how do you handle these two things simultaneously? Because if you concentrate on your defense, not in building -- (audio break) --

THOMPSON: Oh, no, we've lost him.

LYNN: Yes. The Council is censoring your question. (Laughter.)

QUESTIONER: There's a bit of a contradiction there. And I do note that when we had an ACTA about weapons, it was in the State Department. WHO was in another part of the U.S. government. Is the Defense Department really the best place to put this, from the standpoint of cooperation with the rest of the world, most of which are not our allies?

LYNN: Oh, I'm not suggesting that if we have negotiations, it would be the Defense Department that would lead them. It would almost surely be State.

QUESTIONER: Maera Jayno, Columbia University. Could you say a little bit more about what the law-enforcement model offers? The reason I'm asking is because I think of it as working particularly well in jurisdictions that have similar protections, that allow for information sharing. And there are very few of those. So when you're working with countries that don't have comfortable levels of protection within their own societies, how can you work with them across borders?

LYNN: Well, no, I think a part of the law-enforcement model is that the nations that subscribe to it would have to open things up more than they may be comfortable. And that may be a limitation of the law-enforcement model. I think you're right.

QUESTIONER: I'm Bob Lindstrom of Forbes magazine. Where do we stand with the plan and the obtaining of the finances to defend the U.S. utility system, the transportation system, the finance system? The reason I'm asking this is that six years ago I visited your facility in Albuquerque. They were running a model there that they could shut down the utility system in several cities. They didn't think that al Qaeda at that time had any real sophistication or capability of knowing how to utilize the Internet for doing something like that -- (audio break).

LYNN: Well, as I said, the lead on protecting critical infrastructure is with the Department of Homeland Security. We are working currently with them on developing approaches that would potentially extend to the areas that you talked about?

THOMPSON: Sort of an addendum to that question. If somebody wanted to shut down our power grid, you couldn't shut down one thing, you'd have to shut down hundreds of power grids across the country, led by complicated bureaucracies. From a truly cyberdefensive perspective, is that a good thing because it means we have a dispersed, complicated target? Or is it a bad thing because it's harder to manage and work with all of those different power companies that are dispersed?

LYNN: Well, I think more good than bad. I mean, I think -- (audio break) -- is going to be one of the primary techniques that you use in terms of defending. I just don't think you can rely on it. And that's why I'm pushing forward on more active defense techniques. But I think you're right: you can't just push a button and take everything down. So having that disparate dispersal and somewhat different systems across different sectors and inside different sectors is an important protection.

THOMPSON: (Chuckles.) Excellent. So our immensely complicated power system, which no one has ever praised before now, has a real virtue to it.

LYNN: There you go.

THOMPSON: All right. Thank you very much for the fantastic session. I'm sure we all learned a lot. Thank you very much, Deputy Secretary Lynn. (Applause.) Tremendous.

LYNN: Thank you.

THOMPSON: Thank you. That was great.







Loading Loading