In the wake of a rising number of cyberattacks on computer networks worldwide, the U.S. Department of Defense on July 14 released an unclassified strategy for defending against and responding to attacks on U.S. computer networks and infrastructure.
Speaking at the National Defense University on the release of the 13-page “Department of Defense Strategy for Operating in Cyberspace,” Deputy Secretary of Defense William Lynn said, “[B]its and bytes can be as threatening as bullets and bombs” in the 21st century.
The new strategy is part of the Obama administration’s efforts to combat cybersecurity threats domestically and internationally. In May 2009, at the unveiling of the administration’s “Cyber Policy Review,” President Barack Obama said, “It’s the great irony of our Information Age—the very technologies that empower us to create and to build also empower those who would disrupt and destroy.” Last May, the administration issued its “International Strategy for Cyberspace,” which called for the establishment of international norms for how states operate in cyberspace. Last September, the departments of Defense and Homeland Security, which have responsibilities for protecting critical U.S. infrastructure, signed a memorandum of agreement to coordinate cyberactivity.
Malicious criminal cyberactivity is on the rise, with significant intrusions affecting government and commercial institutions on a regular basis. According to Lynn, critical infrastructure has been probed by state and nonstate actors.
Although the Defense Department is concerned by criminal activity in cyberspace, that is not the department’s main worry, Lynn said. “Our assessment is that cyberattacks will be a significant component of any future conflict, whether it involves major nations, rogue states, or terrorist groups,” he said. “Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems” already exist, he said.
“Significant disruptions to any one of these sectors could impact defense operations,” Lynn warned. “A cyberattack against more than one could be devastating,” he said.
“Sophisticated cybercapabilities reside almost exclusively in nation-states. Although attribution in cyberspace can be difficult, this risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States,” he said.
According to the new Defense Department strategy, the virtual realm of computer networks and related physical infrastructure will be treated as another operational domain like air, sea, land, and space, and the United States will apply the rules of armed conflict in the event of cyberattack. “Accordingly, the United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing,” Lynn said.
Lynn emphasized, however, that the new Pentagon cyberstrategy focuses on protecting against cyberattack and takes a more defensive approach to how the United States will operate within the cyberspace domain. Lynn said, “Our strategy’s overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.”
The new strategy lays out five strategic initiatives designed to guide the Defense Department in how to operate and defend the United States in cyberspace. In addition to considering cyberspace as “an operational domain,” they are to “employ new defense operating concepts to protect [Defense Department] networks and systems,” use a “whole government approach” to cybersecurity, “strengthen collective cybersecurity” by working with allies and international partners, and invest in a highly trained “cyber workforce” and in technological innovation.
To protect current networks, the Pentagon cyberstrategy calls for improving best practices in order to protect against insider threats. It also calls for the employment of an “active” cyberdefense capability to prevent intrusions into the Defense Department’s networks by developing new operating concepts and computer architectures designed to give the department “real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.”
The strategy also outlines the development of the National Cyber Range that will allow the Defense Department and its partners to “test and evaluate new cyberspace concepts, policies, and technologies.” At an estimated cost of $130 million, the Defense Advanced Research Projects Agency (DARPA), along with private contractors, is developing the cyberrange. One of the key contractors, Lockheed Martin, was itself the target of a significant cyberattack in May. The cyberrange will be a closed network that will replicate the Internet and is expected to be operational by mid-2012. DARPA is the research arm of the Defense Department and was the agency responsible for creating the Internet.
The new Defense Department cyberstrategy reiterates key elements of last May’s international strategy document by calling for “[c]ontinued international engagement, collective self-defense, and the establishment of international cyberspace norms [that] will also serve to strengthen cyberspace for the benefit of all.” (See ACT, June 2011.)
The Defense Department strategy also says the Pentagon “will seek increasingly robust international relationships to reflect our core commitments and common interests in cyberspace.” The strategy states that “[t]he development of international shared awareness and warning capabilities will enable collective self-defense and collective deterrence.”
In an August 11 interview, James Lewis, a cyber expert at the Center for Strategic and International Studies (CSIS), said the strategy “puts flesh on the bones” of the 2009 review and also follows recommendations from experts, including the 2008 CSIS Commission on Cybersecurity. Lewis was the commission’s project director. The Defense Department strategy “emphasizes the need for better technology to protect critical network infrastructure” and “relies on establishing international norms and collective defense,” he said.
Some critics of the new Pentagon strategy say it does not provide enough detail on potential offensive, retaliatory options, either in cyberspace or through conventional actions, that would be used in the event of a major foreign cyberattack. But Lewis said, “It’s the right blend.”
One of the main obstacles to retaliatory actions is the challenge of confidently identifying the origin of a cyberattack. Sophisticated cyberattacks occur over several networks at once, making attribution in real time difficult. “This structural property of the current architecture of cyberspace means that we cannot rely on the threat of retaliation alone to deter potential attackers,” Lynn said in his speech. “Far from ‘militarizing’ cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes.”