DoD cyber strategy aims at deterrence

Friday - 7/15/2011, 7:00am EDT

Federal News Radio's Jared Serbu

Download mp3

By Jared Serbu
Federal News Radio

The Defense Department's new cyberspace strategy is not a manual for how the Pentagon will attack adversaries in cyber wars of the future.

Rather, the document, two years in the making and released Thursday, focuses almost entirely on defense, save for the reassertion - also proclaimed in the White House's recent international strategy for cyberspace - that the United States reserves the right to respond militarily to acts perpetrated through computer networks.

But attacks that cause physical damage or serious disruption are, in the Pentagon's view, on the "far end" of the continuum. While DoD needs to prepare for such attacks in the future, the current concern is over present-day intrusions in which terabytes of information and intellectual property have been stolen, said Deputy Defense Secretary Bill Lynn in a speech accompanying the strategy's release at the National Defense University in Washington.

Lynn said the latest large breach happened in March, when attackers absconded with 24,000 files in an intrusion into a defense contractor's network. The files contained sensitive information on an undisclosed system the vendor was building for DoD.

Lynn's comments were the first public acknowledgement of the March breach. He said the attacker is believed to be a foreign intelligence agency, though he declined to name the nation the Pentagon suspects. He also did not identify the contractor involved.

Lynn said the Pentagon has a "pretty good idea" who was behind the attack, and DoD was improving its capabilities more generally in the difficult area of attribution: pegging an attack to a particular adversary in the murky world of cyberspace.

But even in cases in which DoD knows who the enemy is, Pentagon planners believe the threat of retaliation alone is not enough to deter potential adversaries from trying to inflict damage or steal information through networks.

"Our ability to identify and respond to a serious cyber attack is only part of our strategy," Lynn said. "Our strategy's overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries' incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place."

Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon believes it can change the cost-benefit analysis of attackers by making it more difficult to capitalize on a successful intrusion into one of DoD's millions of computing devices.

"Today we have a network that's essentially constructed around point defenses. You go buy a firewall and some sort of virus protection and you put it on your computer. It's the most inefficient defense there is," he said. "You're static, and you're always there. Attackers can just keep repeating it as often as they want, and there's really no penalty for doing it."

Instead, DoD wants to build robust, multi-layered, active defenses, relying on a global system of sensors to detect and neutralize threats. The strategy calls for the funneling of research and development funding to create technologies to accomplish that goal, plus a focus on recruiting and training a cybersecurity workforce to maintain the defenses.

Such a setup would let DoD detect threats early and isolate them to a single computer, rather than chasing down an intrusion that manages to penetrate an entire network, Cartwright said.

"Those types of activities tend to affect those who would attack us," he said. "If they think they're going to be thwarted or if they think they're not going to get the effect they desired, it changes their calculus. To the extent that you add other measures, whether they're offensive in nature or law enforcement or diplomatic activities, they also tend to raise the price. But they're only effective if they're credible. We have to have a system that recognizes an attack, registers it and then allows us to react in a way that's appropriate and proportional."

The strategy also calls for stronger relationships with other nations to establish standard rules of the road and expected behavior for operating in cyberspace, though Lynn said doing so won't necessarily require new treaties.

Lynn said the Pentagon also is continuing to explore ways to share classified information on cyber threats with the Defense industrial base in order to ward off attacks like the one that happened in March. The department is in the middle of a 90-day pilot program in which it is providing defense contractors with access to information that can help them detect threats.