The Pentagon’s new strategy for blunting cyber-attacks focuses almost exclusively on improving defense instead of deterring intrusions or threatening retaliation, the vice chairman of the Joint Chiefs of Staff, Marine General James Cartwright, said today.
Deputy Defense Secretary William Lynn today released the Pentagon’s “Strategy for Operating In Cyberspace,” which outlines five “strategic initiatives.” One is increased partnering with other U.S. agencies and private industry to craft a “whole-of-government” approach.
“This strategy talks more about how we are going to defend the networks,” Cartwright told a breakfast meeting of reporters. “The next iteration will have to start to talk about here’s a strategy that says to the attacker, ‘If you do this, the price to you is going to go up. It’s not just free.’”
Cartwright called the current approach “way too predictable. It’s purely defensive. There is no penalty for attacking right now. We’ve got to figure out a way to change that.”
Asked why the Pentagon’s emphasis remains focused on defense, Cartwright said the U.S. government has “been challenged” in crafting an aggressive deterrence strategy. This includes disagreement on what “legal precedents ought to” govern U.S. action and the jurisdictional lines between domestic U.S. agencies and the Department of Defense, he said.
24,000 Files Stolen
Lynn in his speech disclosed that foreign hackers stole 24,000 U.S. military files in a single attack on a defense contractor in March in one of the Pentagon’s worst cyber attacks.
While he didn’t identify the contractor hit in March, he said terabytes of data have been extracted from defense companies over the past decade.
Cyber attacks have compromised “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols,” Lynn said in a speech at National Defense University in Washington.
Lynn didn’t name the country suspected to have been the origin of the March attack. Officials in the past have often blamed China. Lynn didn’t say whether the March attack was sponsored by a foreign government or the work of criminal hackers.
Lynn’s disclosure of the March attack is the second time he’s revealed a once-classified example to illustrate his point about the need for better cyber security.
Lynn in a September-October 2010 Foreign Affairs article disclosed a 2008 incident at a U.S. Middle East base of what he called “the most significant breach of U.S. military computers ever” that served “as an important wake-up call.”
That incident started with a flash drive infected with spyware from a still unidentified foreign intelligence agency. The drive was inserted in to a military laptop and the code spread, Lynn wrote.
“Ninety percent” of U.S. government and Pentagon thinking about cyber-attacks has been “how to build the next best firewall, and 10 percent” of the thinking has been “about what we might do to prevent them from attacking us,” Cartwright said.
The military role should also “be convincing people that if they attack us, that we have the capability and capacity to do something about it,” he said.
“That’s not part of this discussion but part of what we are trying to understand,” Cartwright said. “How do you build something that convinces a hacker that doing this is going to be costly and the price will escalate?”
Defense Department networks “are probed millions of times every day, and successful penetrations have led to the loss of thousands of files from U.S. networks and those of U.S. allies and industry partners,” he said.
The Pentagon is working with industry groups and companies to strike a balance between mandating increased protections and avoiding undue financial and regulatory burdens for improved security, Cartwright said.
“Public-private partnerships will necessarily require a balance between regulation and volunteerism, and they will be built on innovation, openness and trust,” the strategy says.
“In some cases, incentives or other measures will be necessary to promote private-sector participation,” the document says. “DoD’s efforts must also extend beyond large corporations to small and medium-sized businesses to ensure participation and leverage innovation.”
Incentives might take the form of contract clauses, Cartwright said, because those are vehicles “by which we could allow them to ‘burden’ the cost -- if we say you have to have a more secure network, then you can charge that off as part of the contract.”
“Another way is to say if you are going to work in this environment, the expectation is that certain elements” of a company’s network will be protected “in a way that’s greater than the normal corporate network,” he said.
The Defense Department and the Department of Homeland Security have begun a pilot program with a “handful” of defense companies to provide more “robust” protection of their computer networks, Lynn said.
Classified threat intelligence is shared with defense contractors or their commercial Internet service providers, he said.
“By furnishing this threat intelligence, we are able to help strengthen these companies’ existing cyber defenses,” Lynn said.