The Pentagon is rapidly preparing for cyberwar in the face of alarming and growing threats, say senior defense officials, who add that sophisticated attacks have prompted them to take the striking step of investigating the feasibility of expanding NATO’s collective defense tenet to include cyberspace.
But as such planning intensifies, the military is struggling with some basics of warfare – including how to define exactly what, for starters, constitutes an attack, and what level of cyberattack warrants a cyber-reprisal.
“I mean, clearly if you take down significant portions of our economy we would probably consider that an attack,” William Lynn, the deputy secretary of defense, said recently. “But an intrusion stealing data, on the other hand, probably isn’t an attack. And there are [an] enormous number of steps in between those two.”
Today, one of the challenges facing Pentagon strategists is “deciding at what threshold do you consider something an attack,” Mr. Lynn said. “I think the policy community both inside and outside the government is wrestling with that, and I don’t think we’ve wrestled it to the ground yet.”
Equally tricky, defense officials say, is how to pinpoint who is doing the attacking. And this raises further complications that go to the heart of the Pentagon’s mission. “If you don’t know who to attribute an attack to, you can’t retaliate against that attack,” noted Lynn in a recent discussion at the Council on Foreign Relations.
As a result, “You can’t deter through punishment, you can’t deter by retaliating against the attack.” He lamented the complexities that make cyberwar so different from, say, “nuclear missiles, which of course come with a return address.”
How to pinpoint the source of a cyberattack is a subject being discussed by Pentagon officials with their counterparts in Britain, Canada, and Australia, among others, in advance of the upcoming NATO summit in Lisbon in November, at which cyberwarfare is an item on the agenda. Officials from NATO member states are also discussing such fundamental issues as how to share information and exchange related technologies, illustrating that the concept of a collective cyberwarfare defense is still in its infancy.
Lynn is among those working to develop the Pentagon's new cyberstrategy, which is focusing both on how to defend the military's classified networks as well as how to protect the Internet itself.
This upending of some key tenets of military doctrine is prompting the Pentagon to look to some surprising new places for strategic models of cyberdefense, including public health. “A public health model has some interesting applications," Lynn said. "Can we use the kinds of techniques we use to prevent diseases? Could those be applied to the Internet?”
To that end, the Pentagon is now researching means of introducing internal defenses to the Internet so that it acts more like a human organism. When it’s hit with a virus, for example, it might mutate to fend it off. Such strategies are meant to “shift the advantage much more to the defender and away from the attacker,” Lynn said.
The problem is that the Internet currently has very few natural defenses. And sophisticated crafted viruses like Stuxnet are even tougher to fend off. Indeed, the Web “was not developed with security in mind,” he added. “It was developed with transparency in mind; it was developed with ease of technological innovation.” Those same attributes do not lend themselves to good security. Among the potential targets for cyberattack frequently mentioned by cybersecurity experts are the nation's powergrid and financial system.
It was in 2008 that a cyberattack on Pentagon networks – an attack attributed to an unnamed "foreign intelligence service" – served as a wake-up call for US defense leadership. “To that point, we did not think our classified networks could be penetrated, so it was – it was a fairly shocking development,” said Lynn, adding that it was a “seminal moment” in a new military frontier.
Lynn put forward an analogy to early American warfare that the Pentagon often likes to call upon to illustrate its point. “If you figure the Internet is 20, 20-plus years old, and you kind of analogize to aviation … the first military aircraft was bought, I think, in 1908, somewhere around there. So we’re in about 1928,” he said.
“We’ve kind of seen some … biplanes shoot at each other over France,” he added. “But we haven’t really seen kind of what a true cyberconflict is going to look like.”
He warned, however, that there were a few things that appear clear. It is a kind of war that “is going to be … more sophisticated, it’s going to be more damaging, it’s going to be more threatening” than it appears at the present, Lynn said. “And it’s one of the reasons we’re trying to get our arms around the strategy in front of this rather than respond to the event.”