By Geoff Fein
The Defense Department (DoD) needs a cadre of cyber experts, trained and equipped with the latest technologies to protect and defend the military’s network infrastructure, said a top DoD official.
“Yet today, our military schools only graduate about 80 of these experts per year,” Deputy Secretary of Defense William Lynn said yesterday at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
Lynn told government, industry and academia representatives the DoD is seeking funding in its FY ’10 budget to more than triple the number of cyber experts who graduate from the service academies to 250 per year.
“More broadly in the DoD, there are an estimated 90,000 personnel engaged in administering, monitoring and defending our 15,000 networks,” he added. “But most are not formally certified in information assurance and cyber security. So we are proceeding with a training and certification program to build a truly world-class cyber force.”
And DoD officials are including cyber security training, awareness, and accountability for the more than three million military and civilian personnel who log on to military networks, Lynn added. “Because as Gen. [Kevin] Chilton of USSTRATCOM has said, ‘every network computer is on the front line…every one who logs on is a cyber defender first.'”
Another issue Lynn noted is that while the DoD puts weapon systems through testing and evaluation before being deployed, and tests the skills and tactics of soldiers before they are sent into battle, no such equivalent exists in cyber security.
“DARPA, which helped develop the Internet decades ago, is leading our effort to build a national cyber range–in effect a model of the Internet–this will allow us to engage in real-world simulations and develop, test, and field new leap ahead capabilities for cyber security,” Lynn explained.
As the DoD builds these capabilities, Lynn said the military must resist the temptation and the false comfort of trying to retreat behind a fortress of firewalls. “Today’s cyber threats are organic and constantly evolving, our cyber defenses must do the same,” he added.
“We can’t afford a digital version of the Maginot Line…that static trench defense of World War I that the French assumed would work in WWII,” he added. “Instead we need to remember the lessons of maneuver warfare–from the Second World War to Operation Iraqi Freedom–when new tactics and technologies allowed nimble and agile forces to out maneuver their adversaries.”
Despite all the efforts and progress in defending the military’s and the nation’s networks, the country needs to be even better at protecting and defending against cyber attacks, he told the audience.
“We need to do it faster, at network speed. We need more people assigned and trained for this mission, and we need to end the jousting and jockeying within the department for personnel, for resources, for authority, that has often prevented a more coordinated and effective response to the cyber threat,” Lynn said.
DoD is considering the creation of a new command that would be a subordinate unified command under U.S. Strategic Command, Lynn said, to lead, integrate, and better coordinate the day-to-day defense and protection of defense networks.
“As of today [Defense] Secretary [Robert] Gates has not made the final decision on this command. But what I can tell you is this–such a command would not represent the militarization of cyber space,” Lynn said. “It would in no way be about the department trying to take over the government cyber security effort. On the contrary, such a command would not be responsible for the security of civilian computer networks outside the DoD.”
That effort would be left to the Department of Homeland Security (DHS), he added. Likewise, responsibility for protecting private networks would remain with the private sector.
The new cyber command’s mission would be to protect and defend the defense and military networks…the dot mil, Lynn added.
“Like other commands it would be responsive to congressional oversight would operate within all applicable laws and executive orders and regulations,” he said.
Lynn noted that ensuring cyber security in the years ahead will depend on how the nation answers some key questions. “For example, within the department, what are the rules of the road?”
As the CSIS report noted, there are a whole host of questions that the DoD faces: How can the military and government deter and prevent an attack, Lynn said.
“Deterrence is predicated on the assumption that you know the identity of your adversary. But that is rarely the case in cyber space where it is so easy for an attacker to hide their identity,” he said. “Beyond the military, how do we organize the government as a whole?”
Lynn pointed out that the president will soon name a cyber security coordinator at the White House to coordinate efforts across the government. DHS will remain the lead for protecting federal civilian networks. “And yet, given the imperative of defending government networks, it would be inefficient and indeed irresponsible to not somehow leverage the unrivaled technical expertise and talent that resides at the National Security Agency (NSA), which has so much experience protecting our national security system.”
It will also be important to apply that expertise in a way that upholds and respects civil liberties, he added.
Additionally, the government will have to examine how it operates on the international stage. “Many of the cyber attacks on U.S. networks originate overseas,” Lynn said. “Botnet attacks involve computers all over the world. How do we protect and defend ourselves in this global environment raises complex questions of national sovereignty and international law.”
And no single government would be able to confront these complexities alone, he added.
Then there is the issue of how the government partners with industry. Neither the government nor the private sector can solve the country’s cyber security challenges alone, Lynn noted.
“Government needs industry which owns and operates most of our nation’s information infrastructure,” he said. “The private sector needs the government to establish coherent and effective and transparent laws and regulations.
“Yet the difficulties of forging genuine public private partnerships in this area are well known,” Lynn added.
Fundamentally, it comes down to trust, he said. Industry needs to trust government to protect its proprietary information and government needs to trust industry to protect its classified information on threats and vulnerabilities.
“Meanwhile more adversaries are targeting our systems, more networks are being breached and more information is being compromised,” he added.
Although the DoD is exploring a number of models where the government and industry come together to share information and strengthen cyber defenses, Lynn said the DoD needs the help of industry, the government and academia to find the right models so that the military can forge real partnership of trust and cooperation.
“Because in the end, that will be the only way to meet the challenge, with partnerships of trust,” Lynn said. “The best minds in government and industry and academia here in the U.S. and around the world, working together.”