Pentagon officials on Thursday unveiled an unclassified version of a new cyber operations strategy that focuses on defensive protections, rather than offensive actions, to stem an ever increasing number of military network intrusions.
"The thrust of this strategy is defensive. It is protecting the networks because those networks undergird all of our capabilities -- offensive and defensive," Deputy Defense Secretary William J. Lynn III told reporters at the National Defense University after giving a speech on the rationale behind the plan.
Some military experts said they had hoped to see a greater emphasis on beating the attackers.
"I think we should start with the assumption that we want to win a war, if a war is fought in cyberspace," Stewart A. Baker, a former Homeland Security Department assistant secretary told Nextgov. "And I don't think that defense is going to win a war."
But he and Defense officials agreed that it is hard to identify who or what the adversary is on an Internet that fosters anonymity. For example, nation states can sponsor cyber crooks to hack into U.S. military networks and outages can happen when innocent people tinker in a complex, interconnected environment.
"Figuring out whom to attack and who attacked us and how to respond will require a lot of research and development," acknowledged Baker, now a partner at Washington law firm Steptoe & Johnson.
Pentagon officials said the difficulty of pinpointing attribution is one reason they opted for a deterrence approach to eliminate the enemy's hope of gaining access to U.S. defense networks. As part of the policy, the U.S. military is deploying more active cyber defense tools, such as software and sensors that enable real-time detection of vulnerabilities and penetrations. The idea is to stop malicious activity before it can penetrate military systems, as Nextgov first reported July 8.
Other cyber experts said the new strategy is right on the mark. "I think the posture is completely appropriate," said Neal A. Pollard, an adjunct professor at Georgetown University and national security specialist at PRTM Management Consultants. "The Defense Department's primary mission is to prevent war -- I think that it's very important to emphasize that as the primary point of the DoD cyberspace operations strategy."
Defense networks are probed millions of times every day -- and sometimes successfully, according to the document. During a single intrusion in March, perpetrators believed to be backed by a foreign intelligence service extricated tens of thousands of files related to weapons systems, Lynn said. "We think a nation state was behind it," he added, declining to name the country.
"It was 24,000 files, which is a lot, but I don't think it's the largest we've seen," Lynn said. Unauthorized scanning of military systems "is on the increase and has been on the increase every year for the past five or six."
The Pentagon strategy equates a devastating cyberattack to an act of war, a position widely believed to be the case: "The United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing," the strategy states. Defense now treats cyberspace as an operational domain, just like land, sea, air and space.
But, to date, most malicious activity on the Web has not reached this level, Lynn said. Intrusions largely have targeted intellectual property and personal information housed on government and commercial networks for profit -- not for killing.
Terrorists have not yet acquired the technical know-how to take out the systems running hospital centers, for example. "If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation," Lynn said during the speech. "And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining and expanding their cyber capabilities."
The framework also explains the role of the military in guarding private networks, including critical infrastructure, such as power grids, where disruption could cause catastrophe. It anticipates greater partnership between the Pentagon and DHS, which has jurisdiction over commercial and civilian agency networks. "The formalized structure reaffirms the limits that current law and policy set on DoD and DHS collaboration," the strategy states.
Many Americans are worried about the military looking at the online traffic of private citizens. But because U.S. defense operations depend on critical infrastructure networks, too, Pentagon officials have to somehow support civilian cybersecurity. For example, almost all the electricity consumed by the military is delivered through civilian networks, Lynn said during his remarks.
To sustain connectivity without overstepping its bounds, the Pentagon this summer is handing a few defense contractors classified intelligence on threats for independent use. Defense is not monitoring their networks or intercepting attacks. After the test program wraps up at the end of the summer, department officials will contemplate whether to open up the secret information to more Pentagon suppliers and, perhaps, operators of vital civilian systems, Lynn said in response to a question from a contractor attending the event.
"Can you expand it to other critical infrastructure [systems] and is it appropriate to do so?" is one of the questions officials will review, he said.
The original story misidentified Neal Pollard's current position. The story has been corrected.