WASHINGTON – U.S. cyber defenses are “purely defensive” and “way too predictable,” according to Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright. By doing little more than patching up vulnerabilities after each attack, the U.S. is spending too much money and doing nothing to hit back at its attackers, he charged on Thursday.
“We’ve got to change that right now,” Cartwright told reporters, just hours before the long-awaited 1 p.m. release of the DOD cyber strategy. “We’re on a path that is too predictable, way too predictable. It’s purely defensive; there is no penalty for attacking right now.”
One of the continuing questions of the slowly developing U.S. cybersecurity plan is whether federal agencies like the Defense Department, Department of Homeland Security or other intelligence agencies would – or could, legally – conduct their own offensive cyberattacks to keep threats at bay inside and outside of U.S. borders.
In strong remarks, Cartwright decried what he called “the Maginot Line approach.”
“If it’s OK to attack me, and I’m not going to do anything other than improve my defense every time you attack me, it’s going to very difficult to come up with a coherent strategy,” he said. “But up until now, that has really been the focus -- probably 90 percent thinking about how to build the next best firewall, and 10 percent thinking about what we might do to keep them from attacking us.”
Cartwright said he was not referring to “kinetic” responses -- lethal combat force -- to cyberattackers.
The global, split-second nature of cyberattacks requires partnering with other nations, he said, but did not elaborate. Determining partnerships with other U.S. agencies, however, has been more difficult.
“How do you do it in such a way the checks and balances between cabinet agencies that we have today -- that has been a lot harder struggle.”
Eyeing budget talks dominating Washington, Cartwright said DOD must get off a defensive crouch to save money.
“It’s a horrible business case for the nation, at large, because it’s costs us more. Every time somebody spends a couple hundred dollars to build a virus, we’ve got to spend millions. So we’re on the wrong side of that, we’ve got to change that around,” he said.
Deputy Secretary of Defense William Lynn is scheduled to reveal the Pentagon’s cyber strategy at 1 p.m. at National Defense University.