Pentagon's cyber strategy aims to quell fears of militarizing cyberspace

The Pentagon plans on July 14 to release a much-anticipated cyberspace operations strategy that, contrary to some expectations, does not call for militarizing the domain. According to an unclassified draft copy of the framework obtained by Nextgov, the goal is to extinguish any hope enemies may have of accomplishing a destructive attack.

The Defense Department will build new "active defenses" -- sensors, software and digital signatures -- into military networks to detect and stop malicious code before it ever affects operations, according to the document.

"Too many of our adversaries would gamble that we could not attribute the attack to them," according to a draft of the remarks Deputy Defense Secretary William J. Lynn III is expected to make. "Far from militarizing cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes."

Defense cannot monitor civilian networks, however, which presents a challenge, since 99 percent of the electricity it consumes is distributed through private sector systems and 90 percent of military communications travel over commercial and residential networks. To address the security gap, the department will provide some industry partners with classified intelligence on threats for self-help purposes.

Currently, through Cyber Pilot, the Pentagon is offering a handful -- 35 according to one source -- of its 8,000 contractors or their Internet service providers this information. The classified information-sharing already has successfully thwarted malicious activity.

"It has already stopped intrusions at participating industry partners," and as a positive side effect, the military learned about the techniques perpetrators had used to try to penetrate contractor systems, according to the draft of Lynn's remarks.

The White House this spring ignited action governmentwide to defend the Internet by releasing two strategies -- one civilian and one international -- that attempt to carve a path forward in the lawless domain of cyberspace. Defense plays a role in facilitating both agendas. In addition to the Pentagon, several civilian departments will develop agency-specific plans for interacting with global partners in cyberspace, according to the international strategy.

The Government Business Council, the research arm of Nextgov and sister publication Government Executive, has created an interactive map that aims to guide federal, corporate and personal Internet users through the rules of the road under development. Each icon on the graphic directs visitors to a video featuring academic and policy experts who explain how the government should partner with the public and private sectors immediately and over the long haul to defend cyberspace.

Throughout July, the Governing Security in a Networked World infographic will launch new episodes every two weeks on this website, according to Erin Dian Dumbacher, associate director of research at the Government Business Council.

In upcoming segments, experts will share their views of emerging cyber policies. For example, Richard Weitz, a political-military analyst at the nonprofit Hudson Institute, says the various departmental agendas likely will not be set in stone, but rather will be living frameworks that agencies revisit periodically.

Frank J. Cilluffo, a former White House official and director of The George Washington University's Homeland Security Policy Institute, notes that the White House's international strategy says loud and clear that grave attacks in cyberspace are akin to physical attacks. "It put some important markers in the sand that they are going to maintain strategic ambiguity in terms of how they will respond, but it did make clear they will respond and they may do so through instruments beyond cyber. In other words, military instruments could be part of that strategic deterrent," he says.

But "time will tell as to whether it can be implemented as forcefully it is put into words right now," Cilluffo adds.

John Sheldon, a researcher at the George C. Marshall Institute, a public policy think tank, says the White House's defense strategy "does not mean that the next time China interferes with Google that we're going to see B-2 bombers flying over Beijing. There is not going to be anything as simplistic as that, thankfully."

The strategy instead "gives us the impetus to engage with who we think are the perpetrators of the attack -- and holds them accountable. That doesn't have to be through military means," he notes. "It can be done through economic sanctions. It can be diplomatically, such as with a demarche or a protest. It could also be done in an international organization -- such as the World Trade Organization, which covers issues such as intellectual property rights, which is a big issue in cybersecurity."

The Pentagon's forthcoming policy underscores the nation's economic interests in blocking cyber intruders. By emphasizing "the protection of the intellectual property that gives us our battlefield edge -- the strategy is an important milestone in our effort to operate in and defend cyberspace," according to Lynn's prepared remarks.

U.S. startup companies also may gain more government business opportunities under the plan. "We have added half a billion dollars in research and development funds for cybersecurity, launched our 'cyber accelerator' initiative to provide seed capital for defensive technologies, continued developing a 'cyber training range' to test new technologies, and partnered with the national labs and leading research institutions," the document states.

On July 15, watch for more Nextgov video clips from interviews with Estonian President Toomas Hendrik Ilves and Sen. Sheldon Whitehouse, D-R.I. They will address the balancing act public-private partnerships must pull off to successfully guard against attacks.

The last series, to be released Aug. 1, will cover future challenges. Hear Cilluffo talk about the role of every gadget-user in fending off intruders. In addition, the experts will discuss cyber staffing needs at agencies, and the work that remains to be done in the international sphere.