Any large, future clash will “almost certainly” include aspects of cyber warfare–a threat that reaches far beyond military operations and into the core of the U.S. economy, said Deputy Defense Secretary William J. Lynn III at the Council on Foreign Relations in New York City last week.
“Any major future conflict will almost certainly include elements of cyber warfare,” Lynn said. “And the threat posed by cyber warfare extends far beyond military operations – it extends to the very heart of our economy.”
The Department of Defense always knew about threats posed by hackers, nation states or terror groups in the cyber world, but it experienced a wake-up call in 2008 when an intrusion into military networks extended to the classified realm.
Lynn said up to that moment, “we did not think our classified networks could be penetrated.”
The breach occurred when someone in the Middle East used a thumb drive to transfer data from the unclassified network to the classified network, he said. The department launched Operation Buckshot Yankee and spent a lot of time, energy and money to remedy the situation. The attack led to a new approach to cybersecurity in the Pentagon, Lynn said.
Expanding on the recent article he wrote for Foreign Affairs magazine, Lynn detailed the attributes of the cyber threats. First, he said, cyber is an asymmetric threat. It costs very little to develop a cyber threat, while defending against it costs quite a lot. As an example, he explained how some of the most complex, commercially available defense software now have between 5 million and 10 million lines of code. In contrast, the average malware has stayed constant over the last decade at 170 lines of code, Lynn said.
A second attribute of the cyber threat is the issue of attribution and the time it takes to identify an attacker, the secretary noted.
“The forensics of identifying an attacker can take weeks, months — or even years — if you can do it at all,” he said.
A third attribute, Lynn said, is that cyber warfare is offense-dominant. The Internet, he said, was not created with security in mind; instead, it is transparent and encourages ease of technical innovation.
“Structurally, you will find the defender is always lagging behind the attacker in terms of developing measures and countermeasures,” Lynn said. “Adept programmers will always be able to find vulnerabilities and challenge security measures.”