recommended reading

Pentagon goes on the defensive with cyber strategy

Pentagon officials on Thursday unveiled an unclassified version of a new cyber operations strategy that focuses on defensive protections, rather than offensive actions, to stem an ever increasing number of military network intrusions.

"The thrust of this strategy is defensive. It is protecting the networks because those networks undergird all of our capabilities -- offensive and defensive," Deputy Defense Secretary William J. Lynn III told reporters at the National Defense University after giving a speech on the rationale behind the plan.

Some military experts said they had hoped to see a greater emphasis on beating the attackers.

"I think we should start with the assumption that we want to win a war, if a war is fought in cyberspace," Stewart A. Baker, a former Homeland Security Department assistant secretary told Nextgov. "And I don't think that defense is going to win a war."

But he and Defense officials agreed that it is hard to identify who or what the adversary is on an Internet that fosters anonymity. For example, nation states can sponsor cyber crooks to hack into U.S. military networks and outages can happen when innocent people tinker in a complex, interconnected environment.

"Figuring out whom to attack and who attacked us and how to respond will require a lot of research and development," acknowledged Baker, now a partner at Washington law firm Steptoe & Johnson.

Pentagon officials said the difficulty of pinpointing attribution is one reason they opted for a deterrence approach to eliminate the enemy's hope of gaining access to U.S. defense networks. As part of the policy, the U.S. military is deploying more active cyber defense tools, such as software and sensors that enable real-time detection of vulnerabilities and penetrations. The idea is to stop malicious activity before it can penetrate military systems, as Nextgov first reported July 8.

Other cyber experts said the new strategy is right on the mark. "I think the posture is completely appropriate," said Neal A. Pollard, an adjunct professor at Georgetown University and national security specialist at PRTM Management Consultants. "The Defense Department's primary mission is to prevent war -- I think that it's very important to emphasize that as the primary point of the DoD cyberspace operations strategy."

Defense networks are probed millions of times every day -- and sometimes successfully, according to the document. During a single intrusion in March, perpetrators believed to be backed by a foreign intelligence service extricated tens of thousands of files related to weapons systems, Lynn said. "We think a nation state was behind it," he added, declining to name the country.

"It was 24,000 files, which is a lot, but I don't think it's the largest we've seen," Lynn said. Unauthorized scanning of military systems "is on the increase and has been on the increase every year for the past five or six."

The Pentagon strategy equates a devastating cyberattack to an act of war, a position widely believed to be the case: "The United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing," the strategy states. Defense now treats cyberspace as an operational domain, just like land, sea, air and space.

But, to date, most malicious activity on the Web has not reached this level, Lynn said. Intrusions largely have targeted intellectual property and personal information housed on government and commercial networks for profit -- not for killing.

Terrorists have not yet acquired the technical know-how to take out the systems running hospital centers, for example. "If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation," Lynn said during the speech. "And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining and expanding their cyber capabilities."

The framework also explains the role of the military in guarding private networks, including critical infrastructure, such as power grids, where disruption could cause catastrophe. It anticipates greater partnership between the Pentagon and DHS, which has jurisdiction over commercial and civilian agency networks. "The formalized structure reaffirms the limits that current law and policy set on DoD and DHS collaboration," the strategy states.

Many Americans are worried about the military looking at the online traffic of private citizens. But because U.S. defense operations depend on critical infrastructure networks, too, Pentagon officials have to somehow support civilian cybersecurity. For example, almost all the electricity consumed by the military is delivered through civilian networks, Lynn said during his remarks.

To sustain connectivity without overstepping its bounds, the Pentagon this summer is handing a few defense contractors classified intelligence on threats for independent use. Defense is not monitoring their networks or intercepting attacks. After the test program wraps up at the end of the summer, department officials will contemplate whether to open up the secret information to more Pentagon suppliers and, perhaps, operators of vital civilian systems, Lynn said in response to a question from a contractor attending the event.

"Can you expand it to other critical infrastructure [systems] and is it appropriate to do so?" is one of the questions officials will review, he said.

The original story misidentified Neal Pollard's current position. The story has been corrected.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.