recommended reading

Pentagon goes on the defensive with cyber strategy

Pentagon officials on Thursday unveiled an unclassified version of a new cyber operations strategy that focuses on defensive protections, rather than offensive actions, to stem an ever increasing number of military network intrusions.

"The thrust of this strategy is defensive. It is protecting the networks because those networks undergird all of our capabilities -- offensive and defensive," Deputy Defense Secretary William J. Lynn III told reporters at the National Defense University after giving a speech on the rationale behind the plan.

Some military experts said they had hoped to see a greater emphasis on beating the attackers.

"I think we should start with the assumption that we want to win a war, if a war is fought in cyberspace," Stewart A. Baker, a former Homeland Security Department assistant secretary told Nextgov. "And I don't think that defense is going to win a war."

But he and Defense officials agreed that it is hard to identify who or what the adversary is on an Internet that fosters anonymity. For example, nation states can sponsor cyber crooks to hack into U.S. military networks and outages can happen when innocent people tinker in a complex, interconnected environment.

"Figuring out whom to attack and who attacked us and how to respond will require a lot of research and development," acknowledged Baker, now a partner at Washington law firm Steptoe & Johnson.

Pentagon officials said the difficulty of pinpointing attribution is one reason they opted for a deterrence approach to eliminate the enemy's hope of gaining access to U.S. defense networks. As part of the policy, the U.S. military is deploying more active cyber defense tools, such as software and sensors that enable real-time detection of vulnerabilities and penetrations. The idea is to stop malicious activity before it can penetrate military systems, as Nextgov first reported July 8.

Other cyber experts said the new strategy is right on the mark. "I think the posture is completely appropriate," said Neal A. Pollard, an adjunct professor at Georgetown University and national security specialist at PRTM Management Consultants. "The Defense Department's primary mission is to prevent war -- I think that it's very important to emphasize that as the primary point of the DoD cyberspace operations strategy."

Defense networks are probed millions of times every day -- and sometimes successfully, according to the document. During a single intrusion in March, perpetrators believed to be backed by a foreign intelligence service extricated tens of thousands of files related to weapons systems, Lynn said. "We think a nation state was behind it," he added, declining to name the country.

"It was 24,000 files, which is a lot, but I don't think it's the largest we've seen," Lynn said. Unauthorized scanning of military systems "is on the increase and has been on the increase every year for the past five or six."

The Pentagon strategy equates a devastating cyberattack to an act of war, a position widely believed to be the case: "The United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing," the strategy states. Defense now treats cyberspace as an operational domain, just like land, sea, air and space.

But, to date, most malicious activity on the Web has not reached this level, Lynn said. Intrusions largely have targeted intellectual property and personal information housed on government and commercial networks for profit -- not for killing.

Terrorists have not yet acquired the technical know-how to take out the systems running hospital centers, for example. "If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation," Lynn said during the speech. "And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining and expanding their cyber capabilities."

The framework also explains the role of the military in guarding private networks, including critical infrastructure, such as power grids, where disruption could cause catastrophe. It anticipates greater partnership between the Pentagon and DHS, which has jurisdiction over commercial and civilian agency networks. "The formalized structure reaffirms the limits that current law and policy set on DoD and DHS collaboration," the strategy states.

Many Americans are worried about the military looking at the online traffic of private citizens. But because U.S. defense operations depend on critical infrastructure networks, too, Pentagon officials have to somehow support civilian cybersecurity. For example, almost all the electricity consumed by the military is delivered through civilian networks, Lynn said during his remarks.

To sustain connectivity without overstepping its bounds, the Pentagon this summer is handing a few defense contractors classified intelligence on threats for independent use. Defense is not monitoring their networks or intercepting attacks. After the test program wraps up at the end of the summer, department officials will contemplate whether to open up the secret information to more Pentagon suppliers and, perhaps, operators of vital civilian systems, Lynn said in response to a question from a contractor attending the event.

"Can you expand it to other critical infrastructure [systems] and is it appropriate to do so?" is one of the questions officials will review, he said.

The original story misidentified Neal Pollard's current position. The story has been corrected.

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Boeing Employee Emails 36,000 Coworkers’ Personal Info to Spouse

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.