Government and industry must work more closely together to counter the growing threat to the nation’s cyber networks, Deputy Defense Secretary William J. Lynn told information technology professionals last week.
The Defense Department and other federal departments and agencies need to pursue or expand avenues in information sharing, strengthening network architecture and extending government’s network defenses to private networks key to national security and the economy, he said during a keynote speech at the annual RSA Conference for Internet Security.
Lynn told thousands gathered for the conference that the private sector’s role in defending the cyber domain is critical. Unlike the sea, air, land and space domains, cyber is not an area where military power alone can dominate, he said.
“The overwhelming percentage of our nation’s critical [information] infrastructure, including the Internet itself, is in private hands,” Lynn said. It will take the country’s “vast technological and human resources to ensure the United States retains its preeminent capabilities in cyberspace, as it does in all the other domains,” he said.
Telecommunications providers have “unparalleled visibility” into global networks and often possess the best operational capacity to respond to system assaults, Lynn said. “They can detect attacks transiting their systems, and in many cases, alert customers.”
Information-sharing efforts are under way, with industry and government executives meeting regularly as part of a partnership known as the Enduring Security Framework, the deputy defense secretary said. The framework “not only helps identify vulnerabilities, it also mobilizes government and industry expertise to address security risks before harm is done,” he said.
More work is needed, the deputy secretary said, because network attackers have an inherent advantage. Because the Internet was designed to be open and interoperable, security and identity management were secondary in its design.
“You can see just how significant this advantage is by comparing anti-virus software to the malware it’s designed to defeat,” Lynn said. “Sophisticated anti-virus suites now run on about 10 million lines of code ... up from one million lines in only a decade. Yet malware written with as little as 125 lines of code has remained able to penetrate anti-virus software across this same period.”
Government agencies need the scientific community to help strengthen network architecture, he said.
“We must embed higher levels of security and authentication in hardware, operating systems and network protocols,” Lynn said. The National Strategy for Trusted Identities in Cyberspace, a White House initiative, “will lay one building block of this more secure future,” he said.
“It will take the course of a generation to have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today’s technology,” he said.
To spur security improvements, the Defense Department is adding $500 million for new research in cyber technologies, with a focus on areas like cloud computing, virtualization, and encrypted processing, Lynn said. The department also is providing seed capital to companies through its “Cyber Accelerator” pilot program to produce dual-use technologies that address cyber security needs, he said.
The department must speed its adoption of these new technologies, Lynn said.
“It currently takes the Pentagon 81 months to field a new information-technology system. The iPhone was developed in just 24 months,” he said. “We have to close this gap and Silicon Valley can help us.”
The Pentagon will expand its Information Technology Exchange Program, which manages temporary job-swaps between the department and industry IT experts, he announced.
“We want senior IT managers in the department to incorporate more commercial practices,” Lynn said. “And we want seasoned industry professionals to experience, firsthand, the unique challenges we face at DOD.”