June 15, 2009 -- The Quadrennial Defense Review will address cybersecurity in a variety of ways as the threat of network attacks against the Pentagon grows, Deputy Defense Secretary William Lynn said today.
The department faces attacks against military and defense networks that could disrupt military networks, Lynn said at a Center for Strategic and International Studies event in Washington on the Defense Department's role in cybersecurity. Pentagon computers are “probed thousands of times a day” and “scanned millions of times a day,” he added, noting that the frequency and sophistication of these attacks are increasing “exponentially.”
Last year, DOD experienced one of the most significant attacks on its military networks, he told the audience. Malicious software infected several thousand computers and forced U.S. troops and defense personnel to give up their external memory devices and thumb drives, “changing the way they use computers every day,” he remarked.
Although such attacks have not cost lives, “they are costing an increasing amount of money,” Lynn said. “In a recent six-month period alone last year, the Defense Department spent more than $100 million defending its networks.”
The government recently completed a 60-day cyber review, led by White House cybersecurity chief Melissa Hathaway, of the government's computer infrastructure.
Because the country as a whole is unprepared for cyber challenges, network defense will play a central role in the QDR, Lynn said. During the review, DOD will assess current capabilities against requirements and make recommendations for the future. Lynn also said the United States needs doctrine to govern “how we protect cyberspace as a domain, how our forces are designed and trained to protect our networks.”
The QDR will look at three types of activities involving war-gaming and scenario-playing, he said.
“One is just the kind of conventional military scenarios, and we've added a cyber component to those so that we understand what the implications of Georgia and other harbingers of what we think the future might bring,” he said. Last year, Russia launched an attack on the country in which Georgian government computers were hit.
“Second we have a red team that's led by Andy Marshall, the director of net assessment at the Pentagon, and. . . Gen. Jim Mattis,” the head of U.S. Joint Forces Command, he said. “And they are doing a red team analysis of those same scenarios and may have an even heavier emphasis on cyber scenarios.”
DefenseAlert first reported on the red team analysis on May 13.
Moreover, the Pentagon is consulting its own cyber experts to think about some “stand-alone cyber scenarios” that may be incorporated into the review, he said.
However, he said, DOD is pursuing a number of other initiatives prior to the completion of the QDR.
As an example, the fiscal year 2010 budget will triple the number of graduating cyber experts from 80 to 250 a year, Lynn told the audience.
In addition, the Defense Advanced Research Projects Agency plans to develop a cyber security range in the next fiscal year that would allow government agencies to test cyberdefense scenarios, he noted.
The Pentagon is also still considering the creation of a sub-unified cyber command under U.S. Strategic Forces Command, Lynn said.
“As of today, [Secretary] Gates has not made the final decision on this command,” he said. “Such a command would not represent the militarization of cyberspace. It would in no way be about the Defense Department trying to take over the government's cybersecurity effort.”
Gates is still “evaluating proposals,” Lynn said, while the Joint Staff is “working out the details of how this command would work and what the reporting relationships are.” -- Fawzia Sheikh