Pentagon unveils its new cyberstrategy. Well, some of it, anyway.
The Pentagon – belatedly, perhaps – outlines its 'Strategy for Operating in Cyberspace.' A slim unclassified document emphasizes a defensive posture, leaving many questions unanswered.
Land. Air. Sea. Space. And now, officially, Cyber, too.
The Pentagon on Thursday unveiled its first ever “Strategy for Operating in Cyberspace,” officially – some say belatedly – staking out its turf in the digital realm of networks and computers, an arena that analysts say has been militarized for years.
The document outlining the strategy emphasized its defensive – albeit proactive – posture, indicating only by omission the presumed offensive capabilities of a nation seen by many cyberwar experts as the world’s preeminent cyber superpower.
Some analysts were quick to criticize the unclassified document as shedding little light on the full and true nature of the Pentagon’s new cyberstrategy.
Recent leaks of some elements of the policy document led to its early characterization as focusing on circumstances under which the United States would retaliate with bombs, if it came under serious cyber attack.
But this slender 13-page document stresses measures to enhance US cyberdefenses, with nary a mention of offensive cyber weapon deployment, development, or cyberwar strategy other than the broad mandate to make “cyber” a full-fledged “operational domain.”
“Far from ‘militarizing’ cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes,” Deputy Defense Secretary William Lynn said Thursday at the National Defense University in a speech characterizing the new strategy. “Indeed, establishing robust cyberdefenses no more militarizes cyberspace than having a navy militarizes the ocean.”
“Peace through preventive defense is at the heart of our DoD cyberstrategy and the administration’s overall approach to cyberspace,” he said, referring apparently to sensors and other network systems by which the Pentagon hopes to thwart infiltrating hackers – or at least give them less than they had hoped to gain.
Amid headlines touting the latest “cyberbattle” and breathless coverage of hackers defacing websites or criminals scooping up credit card and personal information, Mr. Lynn asserted that little of what is characterized in the media as cyberwar or cyberbattles comes close to meriting military attention, much less military action.
“While identifying criminal activity in cyberspace is of concern, this is not the Defense Department’s primary concern,” he said. “Rather, our concern is specific to activities that threaten our mission to protect the security of the nation.”
Lynn’s speech – and the new document – outline “five pillars” that characterize the Defense Department's cyberstrategy, including:
• Operational Domain: The Defense Department will treat cyberspace as an “operational domain,” just as it does land, air, sea, and space. What that means is that the military will operate within and defend its networks as well as organize, train and equip US forces for cyber missions.
• Active Defenses. The US is deploying for the first time new “active defenses” that employ “sensors, software, and signatures” aimed at detecting and stopping malicious code before it affects military networks and operations – thereby denying the benefit of an attack.
• Critical Infrastructure Defense. Here, the Pentagon describes its role helping defend critical infrastructure and nonmilitary networks that undergird key military functions, including the power grid, financial sector, and transportation system.
Because the US military is restricted from certain domestic operations, it is working in partnership with the Department of Homeland Security and private sector partners to lend its expertise to protect US critical infrastructure – providing to both the signatures and systems that help identify malicious software. Punctuating that point, Mr. Lynn noted in his speech a serious, previously unknown intrusion in March into a defense contractor’s network that netted 24,000 files.
• International Defense Building. This fourth pillar lays out expectations that the US will build “collective cyberdefenses” with international partners and allies, including NATO, expanding awareness of malicious software attacks.
• Training and Technology. The fifth pillar aims to ramp up training of defense personnel. The idea is to weaken the advantage cyberattackers enjoy due to anonymity on the Internet and generally porous defenses in society.
With DoD operating more than 15,000 networks and seven million computing devises in installations around the world, the target is huge. So the Pentagon is seeking some technological fixes to shift the field away from attackers, the strategy document indicates.
Though not in the document, the Defense Advanced Research Projects Agency (DARPA) recently announced work on new computer systems that adapt on the fly to attacks to increase resilience. Add to that new encryption technology that prevents data from becoming visible or vulnerable to an attacker.
Alan Paller, research director for the Sans Institute, a Washington-based cybersecurity education organization, says he especially likes pillars two and five – protecting critical infrastructure and ramping up procurement.
“This is the first time the nation has fully and publicly committed to continuous monitoring and active defense that will allow the federal government to raise the bar in securing existing systems,” he says in an email interview.
But for others the document was missing too many major elements, offensive cyberweapons strategy, for one.
Shrouded in secrecy, the development of weaponized cyber is being conducted in the US – as in many other nations – outside public view and with little debate about their impact on international treaties and on conventional theories of war – such as deterrence – that have governed nations for decades, cyber warfare experts say.
Weapons like Stuxnet, the world's first-publicly confirmed piece of weaponized software that some have called a “digital guided missile” was discovered last year to have hammered Iran’s nuclear facilities. Nobody knows who developed Stuxnet, even though the US and Israel are high on the list of suspects, many say.
The new document doesn’t reference US offensive cyber weapons capability or development, or when such weapons might be used against an adversary. Yet, doctrine and policy regarding such use is a major issue within the cyberpolicy community, some arguing the president should be involved in many, if not most, decisions to deploy such weapons. Still, it’s possible such questions are more directly addressed in a classified version of the cyber document that observers presume exists.
“I didn't see a single new thing here,” says a member of the 2009 National Research Council study of the legality and ethics of using offensive cyberweapons, who asked not to be named. “This so-called strategy is so broadly written that not only is there nothing new in it, parts of this could have been written in the mid-90s – stuff about active defenses, better training, better procurement – it's the same old stuff. It's hard to see how this constitutes a strategy.”
Others agreed there were obvious omissions with no reference to “information operations” – the deployment of digital disinformation – or a new generation of cyberweapons that could take out computer-controlled power grids, refineries, chemical factories and other computer controlled infrastructure, says Dan Kuehl, a professor of information operations at National Defense University, who attended Lynn's speech.
“The reality is this is really a document focused on cybersecurity efforts, which are not unimportant, but it's only one or two slices of the pizza,” Dr. Kuehl says. “Where's the DoD's strategy for the use of cyberspace to influence operations?” he asks, referring to the use of disinformation.
Still, he thought Lynn's speech and the document are unambiguous about the major issue: the military's key role in cyberspace.
“There's been some unhappiness emerging about the idea of militarizing cyberspace,” he says. “But I thought Lynn's speech and the strategy document are right on the mark in trying to just normalize it – driving a gentle stake through the heart of all this concern.
“I mean, give me a break, it has been militarized for two decades just like space. We're just catching up with it.”