The military must move from defending against major cyberattacks to deterring assaults by letting enemies know the U.S. is willing to retaliate with its own virtual weapons or military force, a top general said Thursday.
The Pentagon's new strategy for threats from computer hackers primarily deals with enhancing the defense of its computer systems and those of its military contractors. But Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said that policy is just a start. He said that over the next decade the military would move beyond building better firewalls and make clear to adversaries that they will pay a price for serious cyberattacks.
"There is no penalty to attacking us now. We have to figure out a way to change that," Gen. Cartwright said.
Over the next decade the military must move from a focus on cyber defenses to actively deterring computer attacks, according to the vice chairman of the Joint Chiefs, Gen. Cartwright. Julian Barnes explains
Deputy Secretary of Defense William Lynn said the laws of armed conflict apply in cyberspace, implying that the U.S., in some cases, reserves the right to use real bullets and real bombs to retaliate for virtual attacks. The Wall Street Journal reported the military's conclusion in May.
At the same time, a critical part of the new strategy is to improve the defenses of the military's computer networks to ensure that cyberattackers are quickly identified and get little of benefit when they strike.
"If we can minimize the impact of attacks on our operations and attribute them quickly and definitively, we may be able to change the decision calculus of an attacker," Mr. Lynn said.
Cyberattacks have resulted in the theft of thousands of files from the U.S. government, allies and private industry. Each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks, the Pentagon strategy document says.
Attackers have targeted the Pentagon's most expensive weapons system, the Joint Strike Fighter, a project led by Lockheed Martin Corp. Lockheed was the target of a more recent cyberattack, facilitated by a breach of the computer-security firm RSA, which makes tokens for secure network connections. A hacking group called AntiSec said this week it had hacked into defense contractor and consultancy Booz Allen Hamilton and stolen 90,000 military email addresses and passwords.
"Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity," the document says. "Many foreign nations are working to exploit [the Pentagon's] unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements" of its information infrastructure.
Mr. Lynn said a "foreign intelligence service" had stolen 24,000 files from a U.S. defense contractor in a March cyberattack. He provided no other details of the attack but said a weapons system may need to be at least partly redesigned as a result of the breach.
Critics said the Pentagon strategy was incomplete.
"The plan as described fails to engage on the hard issues, such as offense and attribution," or identifying who mounted an attack, said Stewart Baker, a former general counsel at the National Security Agency.
Gen. Cartwright cautioned that the U.S. wouldn't routinely strike at foreign state-sponsored hackers, either with cyberweapons or real-world weapons. At a roundtable sponsored by the Center for Media and Security, he said subsequent strategy documents will clarify how the laws of war apply to cyberspace and what policies should guide deterrence.
Gen. Cartwright said he hoped the Defense Department's cyber efforts will have moved from being 90% focused on defense to 90% focused on deterrence within a decade.
If the U.S. were attacked in a way that justified a response under the laws of armed conflict, it could react in a variety of ways. Responses could begin with diplomatic efforts, then escalate into a "kinetic" attack, with real-world weapons, Gen. Cartwright said.
Some cybersecurity specialists said the strategy was a reasonable first step. "They've identified the right problems and the right approaches to addressing them," said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies, who frequently advises the administration.
Rep. Jim Langevin, a Rhode Island Democrat who has pressed for enhanced cybersecurity, applauded the strategy, but said it leaves key questions unanswered, such as whether data theft alone—rather than cyberattack that disabled the power grid, for instance—could ever amount to an act of war.
source : the wall street journal