Remarks to the Joint FSC/PC on the Military Aspects of Cyber-Security
As prepared for delivery by Colonel Brian Vile, Deputy Director of the Joint Cyber Center, U.S. European Command
March 22, 2017
Good morning. It is a pleasure to be here today to discuss cyber security issues from a military perspective.
It is significant that the Organization for Security and Cooperation in Europe is the first regional organization to adopt cyber confidence-building measures (CBMs) intended to help reduce the risk of misperception, escalation, and conflict stemming from the use of information and communication technologies. In particular, the first set of CBMs, adopted in 2013, focused on exchanges of information, such as national strategies, to increase transparency among OSCE participating States. With this in mind, I want to first address the growing threats to national security in cyberspace and then discuss how the United States Department of Defense is addressing these threats.
We are witness to an ongoing revolution in how humanity works with one another, created by the continued maturation and expansion of information technology. It was only fifty years ago that scientists first linked computers together to share information, and only 25 years ago the World Wide Web was created. As a result, anyone with access to the Internet can utilize information on a scale unimaginable only a few years ago. This change has impacted nearly every aspect of modern society, and it is sometimes difficult to remember what life was like before the Internet. This intricate web that connects both individuals and nations has given rise to the concept of cyberspace, the ethereal and borderless web of physical and logical infrastructure that enables information sharing on a previously unimagined scale.
Like other nations, the United States relies heavily on the Internet and associated cyberspace for a wide range of critical services. Computerized systems process and build the goods that we rely on. Shipments are synchronized and coordinated globally using automated systems. Even the generation and distribution of electricity is reliant upon industrial control systems to efficiently and effectively manage those critical functions.
Although cyberspace provides nearly unlimited promise, it is not without risk. Our reliance on the confidentiality, availability, and integrity of cyberspace stands in stark contrast to the inadequacy of our cybersecurity. Security for the infrastructure, protocols, and applications upon which cyberspace relies has too often been ignored or insufficiently thought out. There is no easy answer for eliminating, or even mitigating, these vulnerabilities. Even with significant investment in cybersecurity, many systems will remain open to attack. Fully protecting cyberspace is impossible.
Exploitation of these vulnerabilities isn’t limited to criminal actors stealing data and intellectual property for fiscal gain. State and non-state actors leverage these same weaknesses to achieve political, economic, informational, and military objectives. The increasing use of cyberattacks as a political instrument reflects a dangerous trend in international relations; vulnerable data systems present both state and non-state actors with an opportunity to strike the United States and its interests. During a conflict, the US Department of Defense assumes that our adversaries will also seek to target US or allied critical infrastructure and military networks to gain a strategic advantage. A disruptive, manipulative, or destructive cyberattack could present a significant risk to U.S. economic and national security if lives are lost, property destroyed, policy objectives harmed, or economic interests are affected.
As outlined in the US Department of Defense Cyber Strategy, the US Department of Defense’s primary responsibility is to protect our own networks and data. In concert with the rest of the United States government, the DOD is also responsible for defending the US homeland and US interests from attacks, including cyberattacks of significant consequence. In a manner consistent with US and international law, we seek to deter attacks and defend the United States against any adversary that seeks to harm our national interests during times of peace, crisis, or conflict. To this end, the Department of Defense has developed capabilities for cyber operations and is integrating those capabilities into the full array of tools that the United States government uses to defend US national interests, including diplomatic, informational, military, economic, financial, and law enforcement tools.
To support its missions in cyberspace, the Defense Department conducts a range of activities outside of cyberspace to improve collective cybersecurity and protect US interests. The United States European Command – and my office in particular – is responsible for carrying out these activities in the European region. Key tasks include building alliances, coalitions, and partnerships abroad; developing solutions to counter malware; and working with allies and partners to increase cybersecurity and to plan and train for military cyber operations.
First, the US Department of Defense seeks to assist our allies and partners to understand the cyber threats they face and to build the cyber capabilities necessary to defend their own networks and data. Many potential partners have complementary capabilities that can augment those of the United States, and the United States seeks to build strong alliances and coalitions to counter potential adversaries’ cyber activities. Strategically, a united coalition sends a message that the United States and its allies and partners are aligned in collective defense.
Second, the United States is developing solutions to counter the proliferation of destructive malware. The uncontrolled spread of these capabilities presents a significant risk to the international system. Working with the Department of State and other agencies of the US government as well as US allies and partners, the Defense Department will draw on best-practices to counter the proliferation of destructive malware within the international system. In addition to international regimes and best-practices, the US government has a range of domestic export control regimes for governing dual-use technologies that can be used to prevent proliferation.
Finally, the Department of Defense will continue to work with capable international partners to plan and train for cyber operations.
Although challenges in cyberspace are manifold, they are not insurmountable. By continued engagement and cooperation, the United States Department of Defense will remain postured to protect and defend both the US homeland and our national interests.
Thank you for the opportunity to discuss U.S. Department of Defense perspectives on cybersecurity and to contribute to greater transparency in the OSCE region. The risk of conflict stemming from the use of ICTs is real, and this discussion is an important reminder why Cyber confidence building measures can be helpful in reducing the risk of conflict among states.