RAY SUAREZ: We go now to Deputy Defense Secretary William Lynn.
WILLIAM LYNN, United States deputy secretary of defense: Thank you.
RAY SUAREZ: What is the nature of the threat in 2011 that the Department of Defense had to come up with a strategy to counter?
WILLIAM LYNN: Well, the threat’s growing in two dimensions, Ray.
First, it’s moving up a scale of escalation. Most of what we see today is exploitation — that’s theft, stealing secrets, either commercial or military. We have seen some instances where they attack networks and degrade the networks. And there is the possibility — we know the tools exist — to destroy things, to destroy physical property, to destroy networks, to destroy data, maybe even take human lives.
At the same time, the threat is moving in a second dimension. Right now, the most sophisticated nation states are really the sole possessors of the sophisticated cyber-tools. But, over time, it’s going to migrate to rogue states, and it’s going to migrate to eventually terrorist groups.
At some point, you’re going to see a marriage of capability and intent, and that is what we should truly worry about.
RAY SUAREZ: If the Department of Defense’s mission is to protect the United States and its people, how does this strategy protect this country and its people?
WILLIAM LYNN: Well, the strategy is intended to protect the information technology that’s one critical to our military capabilities.
Most of our military capabilities rely on information technology to do navigation, to do targeting, to do command-and-control, all the basic functions. So, the — in the first instance, we’re protecting those military capabilities.
But we need to go further. Working through the Department of Homeland Security, we need to think about how we might use better defensive capabilities to protect our critical infrastructure, the power grid, the transportation network, the financial sector.
RAY SUAREZ: Are you committing on — is the Department of Defense committing to protecting the Internet worldwide? This is a privately owned, privately operated network that’s worldwide, yet the United States Department of Defense is setting out to protect it. Help me out with that.
WILLIAM LYNN: We’re not committing to protect the entire Internet. We’re talking about protecting the military networks in the first instance. We’re talking about working with Homeland Security to protect our critical infrastructure, the sectors I just named.
And we’re talking with our allies about how we have a collective defense, that we’re working with them to share technologies, to share understandings of the threat, so that we have a collective defense approach to this important problem.
RAY SUAREZ: Sometimes, recent attacks have taken the form of disruption of financial markets. Sometimes, they have been denial-of-service attacks meant to disrupt the commerce of the United States. Where do you draw the line between malicious criminal activity to something that actually is a security threat?
WILLIAM LYNN: Well, most of what we have seen right now has been malicious activity. In some cases, it’s criminal. In some cases, it’s espionage.
We have seen a few cases — and a few cases where it goes above that and degrades networks themselves, as has happened in Estonia and Georgia a couple of years ago. The impact of those attacks is corrosive. It erodes our military advantages by stealing our technology. It erodes our economic advantages by stealing our intellectual property.
But, over time, our fear is that it will go — the scale of the attacks will rise to the — they will become truly destructive.
RAY SUAREZ: The Department of Defense has assets, people, tanks, planes, intelligence, and missions where — that usually involve places, physical objects, land that needs to be taken, armies that need to be taken out.
Does the nature of the Internet create a front that’s not in any particular place, that isn’t a physical set of objectives? Does it require thinking about what security is in a different way?
WILLIAM LYNN: It does require thinking in a different way. It’s a new domain. It’s different than land, sea, air and space.
And we need to think about, what are the characteristics of it? It’s largely privately owned. It crosses borders. It doesn’t respect sovereignty. And the speed at which it moves, keystrokes on one side of the globe can have an impact on the other in the blink of an eye. So we need to take account of all those factors as we look to protect our networks.
RAY SUAREZ: Now if you are sitting at home listening to our conversation and think, oh, now the Department of Defense wants to protect that part of our national assets, does that also mean they want to monitor it, snoop on it, be a presence on it in a way that might bother me?
WILLIAM LYNN: No, we don’t want to do that at all.
And we don’t — we don’t participate in any monitoring or any scanning of networks in the United States. What we’re doing is trying to protect our own military networks, and we’re trying to work with the appropriate agencies, the FBI, with law enforcement, the Department of Homeland Security, for protection of critical infrastructure to provide capabilities that might — that the Defense Department has that might be used for those critical missions. But we don’t have the primary role.
RAY SUAREZ: A lot of people are familiar with basic training and what it is, physical endurance, learning new skills, learning how to be a warrior for the United States. Does this front, does this new strategy mean that you will need different kind of people under your umbrella as well with a new set of skills?
WILLIAM LYNN: It absolutely does.
And we’re — we have gone about hiring those kinds of people. We have set up a cyber-command up at Fort Meade that’s organizing the military effort in this regard. And they’re out hiring people, both in uniform and as civilians, with those kinds of cyber-skills that we need. As you say, they’re different kinds of skills than we might need with conventional soldiers, but they’re equally important.
RAY SUAREZ: And where should Americans be concerned? Where in the world are there hot spots of activity, places where people are organizing or the expertise is concentrating to launch the kind of attacks we have seen in the past couple of years?
WILLIAM LYNN: Well, I think the fear that you should have here is that the attacks could come from anywhere. It doesn’t take an enormous amount of resources to develop quite toxic tools in the cyber-world.
And our fear is that the kinds of tools that exist today in nations are going to migrate to — eventually to terrorist organizations. And they’re not going to have any hesitation about striking.
RAY SUAREZ: Deputy Defense Secretary William Lynn, thanks for joining us.
WILLIAM LYNN: Thank you very much.