Defense positions a military cyber squad on DHS turf

koya979/Shutterstock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Computer security experts react to Cyber Command proposal with optimism, blunted by reality that attacks are hard to foresee.

Pentagon plans to deploy a military cyber squad to guard U.S. networks sustaining hospitals and other vital commercial sectors drew hopeful skepticism from technology experts -- and silence from counterparts at the Homeland Security Department.

A recently-disclosed blueprint shows the Defense Department would significantly expand Cyber Command, which has been operational since 2010, and organize it into three sections: combat mission forces would support military commanders in offensive operations against adversaries’ computers; protection forces would defend military networks; and national mission forces would protect domestic critical infrastructure such as energy and transportation networks, the disruption of which could devastate civil society. The command overhaul was first reported by The Washington Post.

Cyberwar researchers, legal experts and industry officials said they believe the Defense Department is the best-resourced federal entity -- in terms of both funding and expertise -- to attempt thwarting major cyberattacks. But they are doubtful any federal department has the tools to reliably identify the source of an incident without misinterpreting the motive of the attacker or possibly targeting an innocent country.

When a destructive cyberattack is imminent, international law allows a proportional response to block the strike, said retired Maj. Gen. Charles Dunlap, a former deputy judge advocate general for the Air Force. “The U.S. does not consider it legally necessary to actually suffer an attack before taking action in self-defense,” he explained.

Still, federal law constrains the authority of military forces domestically, and even if a hostile attack were underway, it is unlikely U.S. forces would have sufficient time to react.

“That would require a rather robust ability to distinguish between major and minor attacks at, literally, the speed of light. That would be, I think, very challenging to do,” said Dunlap, now on the faculty of Duke University Law School.

Complicating matters further, the Pentagon appears to have crafted its reorganization plan without the Homeland Security Department’s cooperation. Under a 2003 presidential directive, DHS must play the primary role in any governmentwide effort to protect American critical infrastructure.

On Friday, Homeland Security officials declined to answer questions about whether the department was involved in the Pentagon’s plan for a domestic cyber force. DHS Secretary Janet Napolitano has been promoting an expected White House executive order that would require Homeland Security to develop cybersecurity standards for critical infrastructure companies and improve information-sharing about vulnerabilities.

DHS officials also would not answer questions about whether the separate military and White House critical infrastructure plans are coordinated endeavors. When asked about collaboration with the Pentagon on these matters, DHS spokesman SY Lee said in a statement, “The Department of Homeland Security is responsible for leading a coordinated national response to significant cyber incidents, and for establishing and maintaining a cyber common operational picture across federal civilian departments.”

The private sector operates an estimated 80 percent to 90 percent of critical infrastructure networks. Consequently, DHS currently works with the owners and operators of those systems to help secure them. Addressing the issue of how its forces will protect vital industries without bugging private networks, a Defense official told Nextgov in a statement, “Cyber National Mission Forces will be prepared to conduct full spectrum cyber operations” to abate threats. According to federal auditors, full spectrum cyber operations encompass surveilling and destroying adversary networks when danger is suspected, not commercial networks.

Dunlap said, “It’s critical for the military not to appear to be infringing upon the privacy and civil liberties of ordinary Americans,  even in the name of cyber security,” adding that “domestic cyber-snooping could put at risk the sterling reputation the military needs to attract America’s best and brightest into its ranks.”

Where will the money come from?

Under the new organizational structure, the size of the command would swell from 900 to 4,900 military and civilian cyber professionals, according to the Post. Observers were befuddled by the envisioned personnel spike, since the Pentagon has announced hiring freezes and other measures to cut spending with sequestration looming.

Defense could squeeze more money out of Congress by stating that the command is taking on more responsibilities. “By ramping up cyber forces in era of dwindling resources, DoD sent a strong message to Congress about how serious it considers the cyber threat. I expect Congress will respond with increasing support for the cyber mission sooner rather than later,” Dunlap said. Earlier, some budget analysts had predicted Defense would rebrand programs as cyber activities to obtain funding boosts, even programs largely unrelated to computer security.

Indications are that the military would act against attacks on civil networks only in the event that national security is threatened or lives are at stake -- not to protect individuals from identity theft or monetary harm, for example. “Under certain circumstances, the DOD believes that they can intercept a hostile attack against U.S. [critical infrastructure] before it hits,” said Jeffrey Carr, a cyberwar researcher and author of “Inside Cyberwarfare” (O'Reilly Media 2009).  “Theoretically, if  intelligence assets uncover an imminent attack by North Korea, for  example, to attack the air traffic control system and cause mass  casualties, then DoD could take action to eliminate the threat” legally as an act of self-defense.  

But, he added, it is doubtful the United States would be able to predict an impending attack due to the nature of malicious software and the anonymity of the Web. “If you don't know attribution, you can't know where the attack will come from, where to look,” be it China, Iran or another nation state, Carr said.

“It's not like DoD can really see malware on its way to the U.S., unless it’s a known signature,” or a hallmark of harmful code already identified by antivirus technology, he said.

More likely, he added, the carrier of the virus would be an offline USB stick inserted into a computer on a company’s internal network, as was the case with a critical infrastructure attack in Saudi Arabia. According to Bloomberg BusinessWeek, this was the method of attack used to disperse the so-called Shamoon virus during an August strike on network services at state-owned Saudi Aramco. The attack corrupted 30,000 employee workstations. “The Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Defense Secretary Leon Panetta said in October 2012.

Some industry representatives, with a fairly positive view of the revamped Cyber Command, sense the Pentagon is stepping up to fortify domestic cyber forces now because cybersecurity reforms have been stalled in Congress for years.

“I had a bipolar reaction. The first reaction is that it is comforting,” said Trey Hodgkins, senior vice president for global public sector government affairs for trade association TechAmerica. “The rest of the government, including the DHS, is years behind” in cybersecurity expertise, while Defense “has done a great job in positioning itself ahead of the government. At the same time, we share the concern that companies don’t want to see their ability to manage their own data, the data of their customers, called into question or become more challenging for them.”

NEXT STORY: China hacked the Wall Street Journal, too

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.