Cyber Security Leadership

Jul 15, 2010

Since that time, then Senator has indeed become President Obama and has launched (in March) the National Cybersecurity Initiative with a $40 billion budget.

William J. Lynn III
Deputy Director of Defense

"The reality is that we cannot defend our networks by ourselves. We need a shared defense.

"In the cyber world, the speed of attacks will require even swifter and more coordinated responses.

"Aircraft can cross the ocean in hours. Missiles in minutes. But cyber attacks strike in miliseconds. Cyber also disregards traditional notions of sovereignty. For the most part cyber traffic crosses boarders freely.

"In the cyber arena, knowing who your adversary is, and what they've done, is a key part of mounting an effective response. Yet determining where an intrusion originates is imperative for establishing the chain of events in an intrusion, and for quickly and decisively responding."

Last December, Howard A. Schmidt, a veteran of computer security and law enforcement, was appointed as his Cyber Czar. Schmidt, the former chief security officer at Microsoft Corp, played a key role in drafting the 2003 report, National Strategy to Secure Cyberspace. On leaving the Bush administration, he was quoted as saying: “While significant progress has been made, there still is much to do. It is the role of industry to take the lead in the implementation of the strategy and the creation of the mosaic of security. [Accomplishing] this will require real-time solutions, not just reports and plans that take years to implement [and] have limited value in dealing with the tremendous vulnerabilities that exist here and now. Each sector, each enterprise, each company and each user must do their part to secure their piece of cyberspace.”

In keeping with the scope of this security challenge and the U.S. leadership’s sense of its importance and urgency, U.S. Deputy Director of Defense, William J. Lynn III, conducted a two-day visit to Canada with counterparts at CSE, Public Safety, and DND. He also made a presentation to the public and the press, sponsored by the Conference of Defense Associations Institute.

Mr Lynn was direct in his public presentation. He stated, in the “tradition of defense cooperation begun by Mackenzie King and Franklin Delano Roosevelt,” that “one of the most challenging asymmetric threats is what brings me to Canada – the cyber threat to our national and economic security. For most of our history, we have relied upon the great oceans that surround us to shield us from attack. However, our natural geographic defenses are of no use against cyber attacks. The internet can transport malicious code twice around the globe faster than the blink of an eye. Our networks can fall prey to an attack in an instant.”

Mr Lynn is concerned that intrusions are growing more frequent. “More than 100 foreign intelligence organizations are trying to hack into U.S. systems,” he said. “Foreign militaries are developing offensive cyber capabilities, and some governments already have the capacity to disrupt elements of the U.S. information infrastructure.”

Even Senator Obama was not spared when, during his presidential campaign in 2008, hackers gained access to campaign files of Barack Obama. Policy papers, travel plans, and sensitive emails were compromised. Mr. Lynn referred to some strategic adjustments they were making that ­followed from the Quadrennial Defense Review, which was completed this spring with the active participation of a representative from the Canadian Department of National Defense… “first, our militaries need to respond to both high-end and low-end threats… second, we must shift some resources from longer-range scenarios, looking out a decade or more, to the fights that we face today… third, moving to reduce the stress on our forces.”

Specifically on the topic of Cyber Security, he went on to observe that: “like the long history of our cooperation in border defense, we have a similar interest in protecting our networks. Doing so will also require a similar partnership. But, in the cyber world, the speed of attacks will require even swifter and more coordinated response.”

The reasons for stepping up our cyber response are clear, suggests Mr Lynne. ­”Aircraft can cross the ocean in hours. Missiles in minutes. But cyber attacks strike in milliseconds. Cyber also disregards traditional notions of sovereignty. For the most part, cyber traffic crosses boarders freely. And in the cyber arena, knowing who your adversary is, and what they’ve done, is a key part of mounting an effective response. Yet determining where an intrusion originates from, and who is responsible, are among the most difficult challenges we face. Put simply, international cooperation is imperative for establishing the chain of events in an intrusion, and for quickly and decisively responding. The reality is that we cannot defend our networks by ourselves. We need a shared defense.”

In a subsequent session, Deputy Secretary Lynn agreed to answer questions from selected media. FrontLine was there.

Q1 It has been suggested that some new structure, like or including NORAD or the Permanent Joint Board on Defense, might be models for what we might seek jointly, but there are also some serious new players… our own key private industries own and operate much of our mutual critical infrastructure (com­munica­tions, power and financial infra­structures are largely privately owned). What is your vision of the scope and process to achieve this bilateral cyber security body that you seek with Canada?

Mr Lynn: I think there are three lines to answer your question; One, we are looking to integrate the Permanent Joint Board on Defense in this matter. We are in fact wishing to strengthen the present U.S./ Canadian alliance. The PJBD is an important part of this partnership and should be part of this solution going forward, particularly as a forum in matters of critical infrastructure.

Secondly, we are looking to strengthen the relationships in a particular way with Critical Infrastructure with our four departments – our DOD and DHS and your DND and Public Safety. The four of us need to work through these important critical infrastructure issues so that we share more. The U.S./Canada alliance is different in that we share much more of this critical infrastructure… we really do need a collaborative joint approach in the public and private domain.

Third, refers to my specific mission here in examining how we can increase our partnership on cyber security. I think this is more of a high level experts’ exchange. This would be less of a permanent thing unlike the PJBD. We must mutually identify the various policy issues, legal framework concerns and extend our already fruitful technical exchanges and do so on an agreed basis.

Q2  We look at what you have done in creating Cyber Command, yet what Canada has done appears only to have been a re-announcement – for the third time – that we will be getting a Cyber Strategy. What deficiencies do you see insofar as what Canada needs to do to face this growing threat?

Mr. Lynn: Both the U.S. and Canada face a similar threat from similar sources in the cyber arena, so I think that there is also a mutual need for urgency.

A critical part of how we succeed in facing this security challenge is how we work with our allies. We are particularly focused on our closest allies; we have talked to the UK and Australia and are engaging with Canada. We will probably work out to the larger NATO audiences as we progress, but both the geography and the closeness of the alliance with Canada makes Canada a particularly important partner.

We are initiating a group to look at the power grid and we are looking at a cyber security policy group; these are the kind of things that we would want to do. We are not announcing something today, but I think this is the pathway we must follow. We also find it useful to have an ally attend our deliberations, (as happened for the QDR) since we all know that when you just read the report you miss the debate of options and factors discussed and do not get an organic understanding of a strategy and why it is there. It helps to communicate and better understand when you attend. It increases trust for all. We have found it very valuable to have allies participate in this.

Q3  You mentioned the legal policy and framework discussions. Would you, for instance, sit down with Canada and determine what constitutes a cyber attack and what retaliation it would need if any?

Mr. Lynn: I think that each country will have to address this within its own particular legal structure, but there are also international norms that apply here and the laws of war are, frankly, imperfect when you look at Cyber Security – so how do you adapt them and have appropriate constraints on roles and processes? Therefore, discussion on how we interact between allies is vital. It is something that we agree needs discussion.

Q4  When you talk to allies, you both know there are some nation states and other non-state actors who have the means to conduct cyber attacks… and you have also that capability, as do some allies. Will your discussions encompass both defensive and offensive measures?

Mr. Lynn: One of the most difficult issues in the cyber world is the whole concept of deterrence. In the nuclear arena where much of the literature on deterrence evolved, there were certain things that you had, that do not so clearly exist in the Cyber world. One is attribution. Missiles come with a return address and you pretty much know who wants to do you harm. In cyber it is very, very difficult and even when you can, it may take months. Similarly, it is not even clear what constitutes or is an attack. Is the theft of data an attack? Is shutting down certain web sites an attack? If you get the loss of life and huge economic damage, people will pretty much agree, but there is a whole spectrum that makes it hard to be precise and consistent. If you are unsure it is an attack and cannot clearly attribute it… then who do you go after? As well, people get focused on high end threats with nation states, but this is a capability that can be developed by non-state actors with a smaller resource footprint. Terrorists… criminals can do it, and possess already some pretty sophisticated cyber capabilities. Deterrence is based on threatening a person having something at risk that he is unprepared to lose. Those non-state actors may not have such ‘things,’ and all of that changes the parameters of deterrence. This is part of what must be discussed with our allies and friends. How do we adapt our notions of deterrence to the Cyber world? What are the risks and costs of cyber security and how do we determine methods and means to protect our networks without undermining the businesses involved or, worse, losing lives.

I thank Mr Lynn for his time and efforts during his visit. We urge our own government to treat these active, complex and very real security threats with the urgency they deserve.

A recent CBS 60 Minutes special on Cyber Security (13 Jun 10) made reference to major disruptions of infrastructure power, water distribution, financial and banking systems, major black outs in Brazil in 2005 and 2007, and major interference in 2009 including a breach and viewing of deliberations at US Central Command HQ. As well, it reported that more than $100 million was stolen through the internet this year. Let us not forget the well known Estonian and Georgian cyber attacks by Russia.

FrontLine Security continues to monitor Canada’s progress in this pervasive cyber domain, and finds us sadly wanting in ­leadership. Oh… Canada!

© FrontLine Security 2010