WASHINGTON – The Pentagon’s long-awaited cybersecurity strategy released Thursday calls for a shift from largely defensive operations to more “active” ones that prevent attacks on computer networks deemed vital to military and national security.
But questions about exactly who should defend which of the nation’s computer networks -- and how -- remain unanswered.
Deputy Defense Secretary William Lynn, the Pentagon’s second-ranking civilian and top cyber official, presenting the Pentagon’s plan at National Defense University, said, “In the 21st century, bits and bytes can be as destructive as bullets and bombs.”
DOD says it will change how it operates by treating cyberspace as an equal “domain” to air, sea and land; work with the private sector and allies; and build the defense workforce -- all of which defense officials have been declaring publicly for years.
But Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright blasted U.S. cyber defenses as “purely defensive” and “way too predictable,” earlier in the day, before the plan was released. He said that the U.S. focus on patching up computer network vulnerabilities after each cyber attack is too costly, and that nothing was being done to hit back at its attackers.
“We’ve got to change that right now,” Cartwright told reporters, calling for a cyber security system that recognizes an attack, registers it and then responds “proportionally.” He said the Defense Department has to move beyond an attitude of “build a better firewall,” but did not reveal specifics.
“Active” cyber security is largely considered to be the ability to probe outside computer networks, including possibly foreign ones, to detect and stop threats like viruses before they reach the firewall defenses of computer systems deemed critical to U.S. security.
The new strategy hints at which systems are considered vital to protect. Ninety-nine percent of the electricity the military uses comes from civilian sources, Lynn said, and 90 percent of voice and internet communications travel via private networks, systems critics consistently warn are vulnerable. He said the Pentagon is not concerned with “criminal activity,” rather with threats against the department’s ability “to protect the security of the nation.”
“We do not know the exact way in which cyber will figure in the execution of this mission,” he said. But the Pentagon is certain that cyberattacks will target the military in “any future conflict, whether it involves major nations, rogue states or terrorists groups.”
In a few frank passages of the report, the Pentagon says that the U.S. military’s heavy reliance on computer networks “stands in stark contrast” to its ability to defend those networks. And it admits unnamed foreign intelligence organizations have already disrupted some DOD networks.
In March, one attack resulted in the loss of 24,000 files. “It was done, we think, by a foreign intelligence service,” Lynn said, but would not name the nation involved.
“DOD networks are probed millions of times every day,” the report concedes, and “thousands” of files from U.S., allied and private industry networks have been lost.
“A great deal of it concerns our most sensitive systems,” Lynn said, such as aircraft avionics and surveillance and satellite technology.
The most prevalent cyberattacks steal intellectual property from government and private networks, which “has a deeply corrosive effect” on long-term competitiveness in the area of military innovation, equal to $1 trillion in economic losses.
More importantly, Lynn said, the number of “significant” attacks, continues to rise.
DOD officials have said increasingly in the past year that they see their role as protecting military networks and concerns, secondary to the Department of Homeland Security, which is charged with protecting civilian systems. But officials often concede the president retains the authority in wartime to deploy DOD capabilities to defend the nation.
Lynn said he believes that DOD had “the authorities” it needs to execute the new strategy, and Cartwright said he did not want Congress to try and “invent” an entire set of rules of warfare just for cybersecurity.
The threshold for military action, however, remains untested.
Lynn said the Pentagon may respond to “serious” cyber attacks with a “proportional and justified military response at the time and place of our choosing.”
The new DOD strategy highlights a major weakness of U.S. cyber policy, said a former official who authored intelligence policy for the Pentagon, Justice Department, and other agencies.
Essentially, no knows who's in charge, said Dan Gallington, senior fellow at the Potomac Institute, an Arlington, Va.-based think tank that focuses on defense technology issues
"If you ask who's in charge of cybersecurity in China, it's a couple guys in a room," he said. "Here if you ask that question to senior government officials, they look at each other and shrug."
The cyber turf battle shaping up is similar to those of past years between NSA and other agencies over what agency was in charge of communications security, he said.
"But with cybersecurity, the stakes are astronomically higher," Gallington said.
Stars and Stripes reporter Chris Carroll contributed to this report.
Twitter: @StripesBaron
