The Pentagon’s Cyberstrategy, One Year Later

For almost all of human history, man has waged war on land and at sea. Air and space emerged as potential battlefields only in the past few generations. Now, the danger of cyberwarfare rivals that of traditional war. The advent of more destructive technologies -- and of their inevitable proliferation among actors willing to use them -- means that the United States must strengthen its critical national networks against ever worse threats.

In "Defending a New Domain" (September/October 2010), I announced that the Pentagon had officially recognized cyberspace as an operational domain and went on to describe the military's cyberstrategy. One year later, U.S. military networks are better defended, the U.S. Cyber Command is fully operational, and we have made progress working with private industry to secure critical infrastructure. Meanwhile, the Obama administration has committed half a billion dollars to develop advanced defensive technologies, including novel approaches to improving network security. But much remains to be done, and the window for doing it is short.

CYBERCONFLICT

Our assessment is that cyberattacks will be a significant component of future conflicts. Over thirty countries are creating cyber units in their militaries. It is unrealistic to believe that each one will limit its capabilities to defense. Moreover, the centrality of information technology to the U.S. military and society virtually guarantees that future adversaries will target it.

The United States is now in the midst of a strategic shift in the cyberthreat. Until now, intrusions have largely been for the purpose of exploitation: stealing intellectual property from commercial networks or spying on the government. There have also been disruptive cyberattacks, for example on Estonia, in 2007, and Georgia, in 2008. In a development of extraordinary importance, cyber technologies now exist that are capable of destroying critical networks, causing physical damage, or altering the performance of key systems. In the twenty-first century, bits and bytes are as threatening as bullets and bombs.

The cyberthreat is also intensifying in a second direction: toxic technologies are proliferating among actors willing to use them. At present, sophisticated cyber capabilities reside almost exclusively in the hands of advanced nation states. For them, U.S. power -- both military and cyber -- is a strong deterrent. Although attribution of a cyberattack is difficult, the risk of discovery is likely too great for a major nation to mount a major attack. But circumstances can change. The United States must guard against the possibility of a future adversary who is not deterred from launching a cyberstrike.

Terrorist groups and rogue states must be considered separately. With few assets the United States can hold at risk, they are more willing to provoke. To advance their radical agendas, they are intent on acquiring, refining, and expanding their cyber capabilities. A burgeoning market for cybercrime services, with settled price lists for botnet rentals and denial-of-service attacks, already exists in the murky underworld of organized crime. If a terrorist group does obtain destructive cyberweapons, it could strike with little hesitation. Faced with these threats, the United States must guard against both a cyber Pearl Harbor, as Secretary of Defense Leon Panetta has warned, and the possibility of a cyber 9/11. Indeed, Panetta recently noted how the disruptive effects of a cyberattack may well be worse than 9/11 and Pearl Harbor combined.

In short, more destructive tools are being created every day, but have not been widely used. Similarly, the most malicious actors have not yet obtained the most harmful technologies. But this situation will not hold forever. There will eventually be a marriage of capability and intent, where those who mean to harm the United States will gain the ability to launch a damaging attack. The United States must develop stronger defenses before this occurs.

To meet this growing threat, the Department of Defense developed a strategy for operating in cyberspace that has five pillars: treating cyberspace as an operational domain, like land, air, sea, and outer space; employing active defenses to stop malicious code before it affects our networks; protecting commercial networks that operate the critical infrastructure that our military relies upon; joining with allies to mount a collective cyberdefense; and mobilizing industry to redesign network technology with security in mind. (The strategy is available at www.defense.gov/cyber.)

CRITICAL INFRASTRUCTURE

Extending advanced cyberdefenses to critical infrastructure is one of the strategy's most crucial objectives. Cyber intrusions have been directed at nearly every sector of our economy. Victims include the IMF, Citibank, Sony's PlayStation network, the secure data provider RSA, Google, and NASDAQ. The United States' critical infrastructure has also been probed. Because much of this infrastructure supports military operations, its failure could compromise national defense. Ninety percent of U.S. military voice and Internet communications, for example, travel over the same private networks that service private homes and offices. The U.S. military relies on the civilian transportation system to move its personnel and freight, on commercial refineries to provide its fuel, and on the financial industry to process its payments. Ensuring the integrity of the networks that undergird critical infrastructure must therefore be a part of the United States' cyberstrategy.
The Department of Homeland Security has the primary responsibility for protecting U.S. critical infrastructure. In the past year, the Defense Department and DHS have agreed to coordinate cybersecurity efforts, established a joint planning capability, and have exchanged cyber personnel. The Defense Department is also helping DHS deploy advanced defensive technologies on networks in the .gov domain.

Partnering with DHS carries the long-standing tradition of military support for civilian authorities into the cyber domain. During a natural disaster, such as a hurricane, FEMA often uses military troops and helicopters to help deliver relief. Similarly, the military's cyber capabilities will be available to civilian leaders to help protect the networks that support government operations and critical infrastructure. At all times, these resources will be under civilian control and used according to civil laws.

DIB CYBER PILOT

Within critical infrastructure, the private defense companies that build the equipment and technology the U.S. military uses are especially important to protect. Their networks hold valuable information about U.S. weapons systems and their capabilities. Alarmingly, foreign intruders have already extracted terabytes of data from defense industry networks in recent years. In a single intrusion in March, 24,000 files were taken. Some of the data stolen during this and other attacks is mundane, but a great deal concerns the United States' most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.

Current countermeasures have not stopped this outflow of sensitive information. In response, the Department of Defense, in partnership with DHS and a handful of defense companies, has established a pilot program to provide more robust protection for private networks. In the Defense Industrial Base (DIB) Cyber Pilot, the government shares classified threat intelligence with private companies or their Internet service providers. The intelligence is then integrated into companies' own network defenses. Because it builds off commercial technologies, the DIB Cyber Pilot provides additional protection for only an incremental increase in cost.

Moreover, the project does not entail U.S. government monitoring, intercepting, or storing of private sector communications, and it is voluntary for all participants.
The Defense Department is only beginning to evaluate the pilot's effectiveness, but it has already stopped hundreds of intrusions at participating industry partners. Building off this initial success, the Department is hoping to expand the pilot to more defense companies. The Pentagon is also working with the White House and the Department of Homeland Security to evaluate applying the concept to other critical infrastructure sectors. With intrusions over the last year into the networks of the financial sector, of transportation networks, of a national laboratory run by the Department of Energy, and even of top-notch cybersecurity firms, there is much left to do. But by establishing a lawful and effective framework for the government to help the operators of critical infrastructure defend their networks, the DIB Cyber Pilot will provide a means to measurably enhance the security of the nation.

DEFENDING CYBERSPACE RESPONSIBLY

The steps the Pentagon has taken to respond to the cyberthreat have prompted discussion about cyberwar and its implications. Commentators have asked whether and how the United States would respond militarily to attacks on its networks. Some are concerned that cyberspace is at risk of becoming militarized. The concern here, as in other areas, is that the measures put in place to prevent hostile actions will negate the very benefits of cyberspace the government seeks to protect. The Department of Defense has designed its cyberstrategy to address this concern. We need to ensure that a domain overwhelmingly used by civilians and for peaceful purposes is not fundamentally altered by the military's efforts to defend it.

It should come as no surprise that the United States is prepared to defend itself in all domains. It would be irresponsible, and a failure of the Defense Department's mission, to leave the nation vulnerable to a known threat. Just as the military defends against hostile acts from land, air, and sea, it must also be prepared to respond to hostile acts in cyberspace. Accordingly, the United States reserves the right, under the law of armed conflict, to respond to serious cyberattacks with an appropriate, proportional, and justified military response.

The ability to identify and respond to a serious cyberattack, however, is only part of U.S. strategy. The focus on building robust defenses aims to changeadversaries' incentives in a more fundamental way. If the United States increases the resources needed to mount a successful attack, minimizes the impact of attacks when they do occur, and quickly attributes them to their sources, it may be able to change a potential attacker's decision calculus.
Far from militarizing cyberspace, U.S. cyberstrategy will make it more difficult for military actors to use cyberspace for hostile purposes. Indeed, establishing robust cyberdefenses no more militarizes cyberspace than having a navy militarizes the ocean. This commitment to peace through preventive defense is at the heart of the Pentagon's cyberstrategy and the administration's overall approach to cyberspace.