Where is cyberwarfare in its evolution today?
The technical capabilities of cyberspace have grown so rapidly that they have quickly overwhelmed countries’ ability to defend their networks—and in our case, the Defense Dept.’s ability to defend its networks—as the tools for communicating in a digital realm have just exploded. And what you see today are countries, individuals, and groups exploring the ability to do reconnaissance on the networks. What that really represents is the initial stages. That’s where we are. We have to first ensure our defense and be prepared to do this quickly.
The number of cyber-intrusions is rising. Some are thefts, some is corporate espionage, some have to do with nation-states. Do you see that last element increasing significantly?
We do, across the board. [Internet security company] McAfee has some great numbers on the pieces of malicious software out there. It has grown to 55,000 a day, I think. And when you think about that, that is a huge number of unique pieces of malware, which means software that adversaries, whether it’s a hacker or a nation-state, can use to penetrate a network. It’s interesting when you think about it, because all the devices have potentially unique operating systems that have unique vulnerabilities. Today the offensive actor has the advantage. They only need to find one vulnerability to exploit a network.
Some have compared today to a kind of Cold War arms race.
Looking at it from a military perspective, just think of the possibilities that we have created—we, the U.S.—from the time of the creation of the Internet. That’s 27—roughly 27, 28 years. We now have iPads, iPhones, Androids. We have tremendous capabilities. And as we discussed, tremendous vulnerabilities. And what you see is it becoming increasingly public. When companies like RSA, Nasdaq, Lockheed, and others are hit, I think the public’s awareness grows. The reality is, it was going on previously.
Do you fear that American companies are selling sensitive technology to other countries?
No, I don’t. I’m not as concerned about that as I am concerned about the loss of intellectual property and future technology. So I think selling our equipment today globally is something that benefits our nation. What concerns me is tomorrow’s technology being stolen today that takes a competitive edge off of America. That’s the most concerning of everything that I get a chance to see. … More and more of our companies do research and development. If somebody can steal that, create a cost-effective alternative to it, when we get to market we lose. The second part is, if somebody steals that operating system we’re going to use in the future, and reverse-engineers it, they have a very rapid way to exploit a system that’s coming down the road.
Why am I concerned about that? Well, part of that intellectual property is stuff for the Defense Dept., our future weapons platforms, our future intelligence platforms, our future communications platforms. If we lose that, our nation loses.
Defense Secretary Panetta said that if there’s another Pearl Harbor, it would likely be in cyberspace. If that happens, will we necessarily know where it came from?
Not 100 percent. As it’s occurring, attributing is more difficult than determining it forensically, and even then at times it can be very difficult. So one of the things that we, the Defense Dept. and the intelligence community, must work on is presenting situational awareness in cyberspace. Now, if you were to say, “Where are you on that?” well, we’re working on it. And of course, that would get into potentially classified areas. But what the nation would expect of Cyber Command and NSA is to solve that crime.
Does China have an equivalent to Cyber Command?
Not per se, although there is word that they are trying to create one.
What worries you most?
The thing that worries me the most right now is our infrastructure is not protected where it needs to be. And the Defense Dept. relies on that infrastructure, whether it’s the power grid or the communications grid. You can put the financial networks in there as well. How do we put those capabilities on the table to protect the nation, and do it in a way that’s consistent with our values, protecting civil liberties and privacy. I believe we can do both. As we talked about, we’re the nation that created the Internet. We ought to be the first ones to secure it.