Cyber Security and the Spreading Challenges

Mr. Robert Lentz
Former U.S. Deputy Assistant Secretary of Defense
(Cyber, Information, and Identity Assurance)

OPENING REMARKS

This workshop, dating back to Moscow 2004, was the first to really bring together the diplomatic and national security leadership community—defense ministers and so on—at a very senior level to have deep discussions about information technology and its corresponding security implications. We now call this arena cyber security. Other groups are following suit, one of which occurred in Texas recently, called the East-West Conference. The reality is that the United Nations sponsored activity called the International Telecommunications Union (ITU), the World Economic Forum, best known for its annual meeting called Davos, or even the G-20 group of twenty Finance Ministers and Central Bank Governors all must step up and make cyber security a top priority. NATO is finally getting on board and even the U.S. Deputy Secretary of Defense is making a worldwide tour promoting greater focus on this critical topic. The good news is that IT Security/Cyber Security is no longer just the province of techies or geeks. World leaders finally understand that, with the advent of the Information Age, enabling trusted communications and preventing terrorists or criminals from exploiting the Internet to their advantage is now a core security issue that must be dealt with aggressively.

EARLY ADAPTION TO THE INTERNET

In the early-2000s, even the U.S. Department of Defense was just establishing its strategy for how we were going to adapt to the Internet. We came up with a strategy called Power to the Edge, referring to the power of information, and we began to deploy those capabilities as rapidly as we could. The problem was that, when we had those discussions back in the early-2000s time frame and we were making massive investments in the DOD post 9-11, we unfortunately did not bake in security from the beginning. I know that sounds to some like a fairly minor strategic decision, but the decision of the leadership at that point in time was that we had to get the Internet-based capability out there first in order to show people that the Internet could be the kind of technology that we could rely upon to completely transform the way military operations are conducted around the world. There were a lot of naysayers, but, over the following years, everybody became a believer in that idea, and doctrine and strategy started to change.
This delay in investing in security first goes even back to when the Internet was originally conceived but because technology moved faster and faster consistent with Moore’s Law, the threats became much, much more significant. Most security professionals I know will tell you that no one expected the cyber security threat to be as significant as it is today. It is much, much more daunting than we ever imagined, and that is our challenge. We are in a race, and we are behind in that race. So when Roger Weissinger-Baylon and I talked about this panel earlier this year, we decided to modify the purpose of the panel slightly and not just talk about the security dimensions of this information revolution but also about delivering the information that we all need. The question is, Is it benefiting the good guys or is it benefiting the bad guys? And how can we balance things so that we can all achieve the end goals of our strategic plans and each individual nation’s objectives?

THE DUAL-EDGED SWORD OF NEEDING INFORMATION AND NEEDING TO SECURE IT

Let’s look at what happened in Iran in terms of how the Internet became a key tool. Let’s also look at what is happening in Afghanistan with the counter-insurgency efforts. Let’s look at how important the Internet is for conducting operations like you heard Microsoft’s Tim Bloechl describe with the rich deployment of IT globally or dealing with stability operations in Africa or the Middle East. All of that is part of the fundamental issue that our cyber panel must address: The paradox that we face, the dual-edged sword of making information available while at the same time trying to secure that information so that it cannot be used against us.
Recently Army General Odierno, the outgoing U.S. commander in Iraq, was asked as he was leaving his post, “What is one of the things that frustrated you the most?” His answer was that the Internet was a tool that we needed to conduct information operations, but that Al-Qaeda and other terrorist groups were really outflanking us in that area. (These are my words but ostensibly that is what he was saying.) Al-Qaeda was using the Internet for recruitment and propaganda and public relations and so on, and we had very little means to counter that. At the same time we needed the Internet to be successful. So that is our challenge.

CYBER SECURITY AS A GAME CHANGER

Over the years at this workshop, we all agreed that cyber security has become a game changer. I am not going to elaborate on the details, but we have seen it in Estonia; we have seen it in Georgia; we have seen it in Lithuania; and we have seen it in Belarus with the Radio Free Europe denial of service attack. We have also seen it with the cable cuts in the Mediterranean, which were indirectly a cyber space event highlighting the fragility of traditional communications, and we have seen it most recently with the tremendous rise in cyber crime. Once again, experts in this field will tell you that they are shocked at how cyber crime has swept over the world and that there is more money in cyber crime than there is in the drug trade. One statistic that I think is very startling in this area is that one in every five victims in the critical infrastructure area is a victim of cyber extortion—this is the reality of what we face. In China, we recently saw Google and other major companies become victims of very sophisticated, targeted cyber attacks, which is the newest trend that is occurring every day.

CONCLUDING REMARKS

Before ending my remarks and turn to our esteemed panel, I would like to throw out a question: What country in the world today has the highest level of cyber security adoption? The answer is China, which also has the highest level of encryption in the world today. Draw any conclusions you want from that, but the reality is that we are all together in this information revolution and we all have a responsibility to deal with it.