Pentagon Rattles Its Cyber-Saber
The U.S. DoD has formally outlined its positions on cyberspace defense, establishing five strategic approaches as part of the White House's U.S. Comprehensive National Cybersecurity Initiative. Cyberspace will be considered an operational domain like land, sea, air and space. That means the military has to operate and defend its networks and prepare for cybermissions and cyberconflict.
Jul 15, 2011 12:07 PM PT
The United States Department of Defense (DoD) unveiled its long-awaited cyberstrategy Friday.
Speaking at the National Defense University, Deputy Secretary of Defense William Lynn outlined the DoD's Strategy for Operating in Cyberspace.
This consists of five strategic approaches and is part of the U.S. Comprehensive National Cybersecurity Initiative, unveiled by the White House in June.
It includes reserving the option of using military force in response to serious cyberattacks.
The DoD's announcement comes at a time when cyberthreats against governments worldwide and attacks on U.S. defense contractors are increasing.
Meanwhile, U.S. armed forces' growing dependence on technology is making it increasingly vulnerable to cyberattacks.
The DoD's been working on its cyberstrategy for some time, Robert Rodriguez, chairman and managing principal of SINET, told TechNewsWorld.
"It's not like they just thought this up in the past 18 months," Rodriguez said. "They've been discussing this for awhile, but not in public."
However, observers are skeptical about whether or not the DoD can carry out its intentions.
"I saw the pronouncements on that subject to be more saber-rattling at this point than anything else," Scott Crawford, a managing research director at Enterprise Management Associates (EMA), told TechNewsWorld.
The DoD did not respond to requests for comment by press time.
The Five Pillars of the DoD Plan
The DoD's cyberspace strategy has five components.
First, cyberspace is considered an operational domain like land, sea, air and space. That means the military has to operate and defend its networks and prepare for cybermissions and cyberconflict.
Second, the DoD will improve cybersecurity and develop new defense operating concepts and computing architectures. Stronger defenses against internal threats are part of this strategy, and they will include improved workforce communications, more workforce accountability, internal monitoring, and information management capabilities.
Third, the DoD will partner with other U.S. government departments and agencies as well as the private sector to enable a cybersecurity strategy that encompasses the whole of government.
That means enhancing the partnership with the Department of Homeland Security, partnering with the Defense Industrial Base to better protect sensitive information, and strengthening partnerships with the private sector.
The Defense Industrial Base consists essentially of defense contractors.
Fourth is the strengthening of ties with U.S. allies and international partners to enhance collective cybersecurity, as outlined in the U.S. International Strategy for Cyberspace, which was launched in May.
The fifth pillar of the DoD's strategy is to "leverage the nation's ingenuity through an exceptional cyberworkforce and rapid technological innovation." The DoD will invest in its people, technology and R&D involved with cybersecurity.
Sweet Dreams Are Made of These
The goals outlined by the DoD may be somewhat optimistic, analysts say.
One major problem is that of accurately identifying the source of a given attack.
"Identifying the perpetrator accurately is the biggest challenge we have today," Charles Dodd, whose company, Nicor Global, offers offensive and defensive strategies for U.S. government, military and intelligence programs, told TechNewsWorld.
"So we say we'll fight fire with fire, but until we know for a fact that we have the capability to accurately identify network traffic and its point of origin -- and we're not there yet -- we can't say this," Dodd explained.
Getting and training enough people to participate in cyberdefense is going to be another problem. Existing IT training is inadequate, EMA's Crawford suggested.
"Educators would be well-advised to focus on the reality of the threat landscape and training professionals accordingly rather than wasting their time with purely academic studies that may have little or no bearing on reality," Crawford remarked.
"Our children are not growing up with the math and science skills that we need to advance the nation's innovation," SINET's Rodriguez said. "And the intellectual property we're losing with the problem of H1-B visas and not keeping people who deserve to stay in this country are a big problem."
H1-B visas are granted to specially qualified foreigners, and foreign computer experts get quite a few of these.
The Use of Military Force
Finally, there's the question of when using military force would be appropriate or justified.
For example, some U.S.-based servers and networks were used in the 2007 cyberattack on Estonia, which was widely believed to have been launched by Russia, Dodd said.
"So how are we going to retaliate militarily to that?" Dodd asked. "Take out Atlanta, Ga., or some other U.S. city where servers and networks used in an attack on U.S. facilities are based?"
Worse still, what if civilian targets such as hospitals are taken out in a military attack?
"The Laws of the Sea have been around since 1609 and it took decades, if not centuries, to figure out how to apply them correctly," SINET's Rodriguez said.
"The Internet has only been around for 43 years or so," Rodriguez added. "There are lots of opportunities, but we're also still finding out about the risks."