The Defense Department’s new cyberspace strategy is not a manual for how the Pentagon will attack adversaries in cyber wars of the future.
Rather, the document, two years in the making and released Thursday, focuses almost entirely on defense, save for the reassertion – also proclaimed in the White House’s recent international strategy for cyberspace – that the United States reserves the right to respond militarily to acts perpetrated through computer networks.
But attacks that cause physical damage or serious disruption are, in the Pentagon’s view, on the “far end” of the continuum. While DoD needs to prepare for such attacks in the future, the current concern is over present-day intrusions in which terabytes of information and intellectual property have been stolen, said Deputy Defense Secretary Bill Lynn in a speech accompanying the strategy’s release at the National Defense University in Washington.
Lynn said the latest large breach happened in March, when attackers absconded with 24,000 files in an intrusion into a defense contractor’s network. The files contained sensitive information on an undisclosed system the vendor was building for DoD.
Lynn’s comments were the first public acknowledgement of the March breach. He said the attacker is believed to be a foreign intelligence agency, though he declined to name the nation the Pentagon suspects. He also did not identify the contractor involved.
Lynn said the Pentagon has a “pretty good idea” who was behind the attack, and DoD was improving its capabilities more generally in the difficult area of attribution: pegging an attack to a particular adversary in the murky world of cyberspace.
But even in cases in which DoD knows who the enemy is, Pentagon planners believe the threat of retaliation alone is not enough to deter potential adversaries from trying to inflict damage or steal information through networks.
“Our ability to identify and respond to a serious cyber attack is only part of our strategy,” Lynn said. “Our strategy’s overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”
Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon believes it can change the cost-benefit analysis of attackers by making it more difficult to capitalize on a successful intrusion into one of DoD’s millions of computing devices.
“Today we have a network that’s essentially constructed around point defenses. You go buy a firewall and some sort of virus protection and you put it on your computer. It’s the most inefficient defense there is,” he said. “You’re static, and you’re always there. Attackers can just keep repeating it as often as they want, and there’s really no penalty for doing it.”
Instead, DoD wants to build robust, multi-layered, active defenses, relying on a global system of sensors to detect and neutralize threats. The strategy calls for the funneling of research and development funding to create technologies to accomplish that goal, plus a focus on recruiting and training a cybersecurity workforce to maintain the defenses.
Such a setup would let DoD detect threats early and isolate them to a single computer, rather than chasing down an intrusion that manages to penetrate an entire network, Cartwright said.
“Those types of activities tend to affect those who would attack us,” he said. “If they think they’re going to be thwarted or if they think they’re not going to get the effect they desired, it changes their calculus. To the extent that you add other measures, whether they’re offensive in nature or law enforcement or diplomatic activities, they also tend to raise the price. But they’re only effective if they’re credible. We have to have a system that recognizes an attack, registers it and then allows us to react in a way that’s appropriate and proportional.”
The strategy also calls for stronger relationships with other nations to establish standard rules of the road and expected behavior for operating in cyberspace, though Lynn said doing so won’t necessarily require new treaties.
Lynn said the Pentagon also is continuing to explore ways to share classified information on cyber threats with the Defense industrial base in order to ward off attacks like the one that happened in March. The department is in the middle of a 90-day pilot program in which it is providing defense contractors with access to information that can help them detect threats.
The pilot is isolated to roughly a dozen companies for now, but Lynn said the Pentagon believes it already has helped ward off potential attacks. The test will be completed by the end of this summer, he said.
“We’re going to assess where we are,” he said. “And we’ll be looking at expanding it vertically to more of the Defense industrial base, and we’ll be looking at expanding it horizontally to other critical infrastructure operators, and whether it’s appropriate to do so. We’ll be looking at those decisions in the fall.”
Cartwright said members of the military shouldn’t expect to see a bevy of new doctrine, policy and regulations brought on by the new strategy. Rather, he said, the focus will be on adapting existing rules to the idea that cyberspace is what the strategy refers to as an operational domain.
“I mean, if an airman has to have a set of rules for everything except cyber and then a separate set of rules for cyber, it’s really difficult,” he said. “We’re starting from the concept that we’ll use the laws that we have, understand the implications and understand where it applies where it does and where it doesn’t. To the extent we need something more, make it a deviation. But don’t try to invent an entire set of rules, laws, policies that only apply to cyber. Because it’s really difficult for us to take that, teach it and apply it in conflict.” Likewise, Cartwright said, DoD does not need to establish new classifications particular to cyber attacks that dictate when a military response is warranted and when it is not. He said just as with conventional military attacks, it would be up to the nation’s political leadership to decide if, when or how the U.S. should respond.
“It’s the output side of the equation, not the vehicle that determines whether it’s an act of aggression. An act of war is in the eyes of the beholder,” he said.
The strategy drew some early criticism Thursday on charges of failing to more precisely identify the department’s plans for offensive cyber capability and vague details around interagency cooperation.
Rep. James Langevin (D-R.I.), who has worked extensively on cybersecurity in Congress and who attended the strategy’s unveiling, asked in a statement provided by his office: “What are acceptable red lines for actions in cyberspace and what resources can and will the Defense Department provide to the Department of Homeland Security, private companies, and international partners to enable their own defense? Does data theft or disruption rise to the level of warfare or do we have to see a physical event, such as an attack on our power grid, before we respond militarily?”
Alan Chvotkin, executive vice president of the Professional Services Council, a group which represents government contractors, said in a statement that the Pentagon plan, at least in its unclassified form, lacked detail.
“This strategy is at best a compilation of previously adopted departmental plans and missions covering other critical components of the department’s operational domain, such as the need and approach for an offensive capability to prevent or respond to a cyberattack,” he said. “Where the strategy does identify implementing actions-such as in securing the department’s supply chain or addressing the department’s acquisition processes for information technology-the strategy stops short of reconciling competing priorities or addressing the direct and indirect costs of meeting these requirements.”
(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)
This story is part of Federal News Radio’s daily DoD Report. For more defense news, click here.
TAG: DoD | industry | cybersecurity | William Lynn | James Cartwright | James Langevin | Alan Chvotkin | Professional Services Council | technology| information sharing| Defense industrial base| Jared Serbu