The Pentagon is pouring money into cybersecurity, but how that will work is another thing entirely.
When Defense Secretary Chuck Hagel’s plane landed at Joint Base Pearl Harbor-Hickam in Honolulu in late May on his way to meet with leaders of the U.S. Pacific Command he met with troops and warned of one of the United States’ greatest enemies: hackers. He preached about the need for a “rules of the road” gospel covering all cyber activities -- especially when it comes to threats from China.
“Cyber threats are real,” he said. “They’re terribly dangerous.”
May was a sobering month in terms of cybersecurity.
After The Washington Post reported Chinese hacking attacks on an extraordinary range of weapons systems, Defense Department officials took the equally extraordinary step of saying the Pentagon has full confidence that U.S. weapons programs are “secure and reliable.” But, the article noted, a 2012 Senate Armed Services Committee investigation that found as many as 1 million individual counterfeit parts are embedded in military aircraft.
The Post article also cited chilling revelations from an analysis by the Defense Science Board, a group of civilian advisers to the Pentagon. The board concluded the Defense Department has hardened its networks and large prime contractors are moving in that direction under Pentagon guidance, but subcontractors in the supply chain have not taken the necessary steps to detect and protect. These smaller suppliers have found defensive measures are “increasingly expensive and decreasingly effective,” the report said.
Even if subcontractors shore up network security, what are other nations and their defense contractors doing to protect their data?
Earlier in May, the Defense Department sent a report to Congress saying the Chinese government appeared to be using cyber espionage to modernize its military.
If that were not enough, the Commission on the Theft of American Intellectual Property cited China as the world’s largest source of proprietary data theft in a report by retired Adm. Dennis C. Blair, former director of national intelligence, and Jon M. Huntsman Jr., former ambassador to China, the panel's co-chairmen.
“Nearly every U.S. business sector -- advanced materials, electronics, pharmaceuticals and biotech, chemicals, aerospace, heavy equipment, autos, home products, software and defense systems -- has experienced massive theft and illicit reproduction,” Blair and Huntsman said in an op-ed the day before the report was released. “So far, our national response to this crisis has been weak and disjointed.”
The U.S. government is certainly throwing taxpayer dollars into cyber initiatives.
The Pentagon is seeking $4.7 billion in its fiscal 2014 budget request to “defend networks, degrade adversary cyber capabilities and support defense of national infrastructure.” Defense officials have pledged to work more closely with civil authorities and internally with the National Security Agency and Cyber Command, which is pushing to elevate its status to that of a combatant command.
The $800 million increase in cyber budgeting will go largely to train and develop 40 mission teams, 25 direct support teams and 68 protection teams to assist the Homeland Security Department in securing federal and critical commercial systems by 2016, according to budget documents.
How it is all going to work is another thing.
“You can’t defend everything,” even inside the Pentagon, Franklin Kendall, a former undersecretary of Defense, told attendees at a recent Joint Warfighting Symposium in Virginia Beach, Va., who said the emphasis has been on building offensive cyber capabilities, which has implications in the private sector as well.
Collateral damage is the biggest challenge, Vice Adm. Robert Parker, the Coast Guard’s Atlantic Area commander, said at the symposium. “You just don’t know what happens downstream when the military goes on the offensive,” he said.
More intriguingly, Parker raised the issue of whether the armed services should “have a role in escorting data” in a 21st century version of the World War II convoys carrying materiel and troops to Europe. He said that is a possible niche that Homeland Security, which includes the Coast Guard, and Cyber Command could develop.
A far more perplexing debate is surfacing in the private sector, according to Kendall. “Should a company have the right to self-defense?” he asked, raising the question of how far organizations should go to defend themselves. This is the murkiest quandary hiding in a swamp of risks.
The intellectual property commission warned against retaliation against hackers in the private sector, even if companies are attempting to take back what is rightfully theirs. “An action against a hacker designed to recover a stolen information file or to degrade or damage the computer system of a hacker might degrade or damage the computer or network of an innocent third party,” Blair and Huntsman said in their report.
During his stop in Hawaii, Hagel said: “Another very important component to this is our allies and our partners, because we live in a world -- and you all know this -- where one country's just not big enough, strong enough, good enough, wealthy enough to handle it all. We can't do it, especially cyber. And cyber is one of those quiet, deadly, insidious unknowns you can't see, it's in the ether. It's not one big navy sailing into a port or one big army crossing a border or squadrons of fighter planes crossing a border. This is a very difficult, but real and dangerous threat. And there's no higher priority for our country than this issue.”
On his way to the NATO ministerial meeting in Brussels and in Singapore, where he met with Chinese military officials, the Defense chief pledged to make cyber his highest priority. President Obama also raised cyber espionage issues with Chinese President Xi Jinping during their recent talks in California.
Engaging the Chinese is a start. Working with allies, hardening networks and passing laws qualifying who can do what and when in cyberspace also are essential. Such initiatives will lead to those critical rules of the road, but getting there will not be easy.
John Grady, retired director of communications for the Association of the United States Army, writes about defense and national security.