Routine cyber defenses such as patches, firewalls, intrusion detection and monitoring software will protect computer networks from roughly 80 percent of cyber attacks but more sophisticated attacks require active defenses akin to “maneuver warfare” in cyber space, the Deputy Secretary of Defense William Lynn recently said.
“The last 20 percent, and again that’s a very rough estimate, the most sophisticated attacks ultimately will not be deterred or stopped by simply a patch and pray approach,” Lynn said at the Council on Foreign Relations. “What you need is a far more active set of defenses. You need things that work by identifying signatures in advance, screening out malicious code at the boundary of the network. And you can’t assume that you’re going to get everything. You need software that’s going to be able to hunt on your own networks and find malware. When you find them you need to be able to block them from communicating outside. So, in other words, this is much more like maneuver warfare than the Maginot Line.”
Lynn’s speech followed his essay in the September/October issue of Foreign Affairs, in which he outlined the Defense Department’s cyber strategy following a surprise intrusion attack on its classified military computer networks in 2008.
In the article, Lynn outlined five pillars of the Pentagon’s cyber defense strategy. In addition to active defenses, the other pillars include recognizing that cyber security is a new domain of warfare, that DoD needs to participate in the protection of the nation’s critical infrastructure, an area where the Department of Homeland Security has the lead, that cyber defense is a shared activity, both domestically and internationally, and finally that there is a need to continue to leverage the country’s technological base to retain what is currently a “fragile” cyber advantage.
Moreover, Lynn said last Thursday, the United States needs to use its technological innovation to change the terms of the cyber security equation in which attackers currently have the advantage.
“I think over time we can develop techniques in the Internet that will even out offense and defense to a greater degree than we see now,” Lynn said. “We’re asking DARPA (Defense Advanced Research Projects Agency) and some of the other organizations inside DoD to take a look at ideas that might push us along that line. We’re talking to industry about how we might do that. And I think over the long haul, and by long haul I mean 10 to 20 years…we might be able to change the terms of the attack-defense equation.”
The offense-defense equation is also a costly one for defenders, Lynn said. Sophisticated commercially available defense software today have five to 10 million lines of code and “they are massive, work intensive, difficult products to develop,” he said. “The average malware has stayed constant over the last decade and it’s about 175 lines of code.”
That imbalance between offense and defense will remain for “a while,” he said.
Lynn also noted that it continues to be very difficult to ascertain the origins of a cyber attack. Forensics to identify an attacker “can take weeks, months or even years and that’s if you can do it at all,” he said.
In the 2008 attack against military networks, the counter operation, called Operation Buckshot Yankee, did succeed in identifying a foreign intelligence organization as the source of the attack, Lynn said. He declined further comment on that matter.
The difficulty in attributing an attack means deterrence is questionable because “you can’t deter by retaliating,” he said.