The Defense Department is moving “way too slowly” to protect the U.S. from cyber attacks, the Pentagon’s No. 2 official said today.
“We’re still vulnerable, and the pace is not adequate,” Deputy Defense Secretary Ashton Carter said in a speech to the Air Force Associaton’s annual conference in Maryland. “I hope this isn’t one of those situations where we won’t do what we need to do until we get slammed.”
While the Pentagon has been focused on defending its own computer networks and developing cyber weapons, it’s been struggling to find ways to help private companies protect themselves from cyber attacks, he said.
“That’s a little harder,” Carter said. Most computer networks are controlled by “private entities who typically fail to invest or under-invest in their security.”
Antitrust concerns are complicating the Pentagon’s task, Carter said.
“When we provide information to Company A, do we have to provide the same information to Company B?” he asked. “Can Company A provide information to Company B, or does that violate the antitrust laws?”
Carter said myriad questions must be resolved as the Defense Department tries to make private computer networks less vulnerable to attack.
“Should we require private industry to control its networks, or is that the heavy hand of government regulation?” he asked. “We’re working our way through all these issues, my own view is, way too slowly.”
Pentagon leaders agree that cyber security is an increasingly important focus -- and area for spending -- as the threat of cyber attacks increases.
“We’ve all got to be thinking about cyber,” U.S. Army General Martin Dempsey, chairman of the Joint Chiefs of Staff, said in a separate speech to the Air Force Association today. “It will be a game-changer.”
Still, military leaders are wrestling with how best to organize themselves for the new threats and assess what they need.
“This is a really fuzzy area for a lot of people,” said General Mark Welsh, the new Air Force chief of staff, in a talk with reporters yesterday.
“I’m just a little hesitant to commit wholeheartedly to major resources to an area that I don’t completely understand.”
Without more clearly defined requirements, Welsh told the Air Force Association conference, “I’m concerned it’s a black hole.”
In May, Pentagon officials predicted that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyber threats under an expansion of a first-ever initiative to protect computer networks.
Following a pilot program that involved 36 contractors and three of the biggest U.S. Internet providers, the Obama administration approved a rule letting the Pentagon enlist all contractors and Internet providers with security clearances in the information exchange, Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said at the time.
Cyber threats facing the U.S. defense industry and its “unclassified information systems represent an unacceptable risk of compromise of DoD information and pose an imminent threat to U.S. national security and economic security interests,” according to the federal rule authorizing the expanded Department of Defense program.
Information needs to be shared because hackers, especially in China, are accelerating efforts to penetrate computer networks such as those of defense contractors, Rear Admiral Samuel Cox, director of intelligence for U.S. Cyber Command, told reporters at a conference in April.
“Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict,” according to a March report by the U.S.-China Economic Security Review Commission, a group created by Congress to monitor China.