DOD cyber defense plan draws fire

In announcing its latest plan to improve the security of military and related mission-critical networks in the public and private sectors, the Defense Department dutifully acknowledged once again that cyberspace is a new domain in which it must defend the United States and its vital interests.

But cyberspace is unlike any other battlefield the Pentagon has encountered before, and the military is clearly struggling to develop operational ground rules for this complicated new domain where the lines are often fuzzy between DOD and civilian activities, war and peace, and the good guys and the bad guys.

The difficulty of the task for DOD officials is evident in just how messy and prone to criticism the process of creating a cybersecurity policy has become. However, there is little doubt that a strategy is crucial. At the July 14 press conference for the plan’s unveiling, Deputy Secretary of Defense William Lynn also disclosed that in March, a “foreign intruder” was able to steal 24,000 files pertaining to cutting-edge weapons systems from the network of a defense contractor.

As an illustration of the messiness, the vice chairman of the Joint Chiefs of Staff, Marine Gen. James Cartwright, made the unusual move of publicly criticizing the plan’s defensive orientation hours before Lynn officially released it.

"We’re on a path that is too predictable, way too predictable," Cartwright told reporters. "It’s purely defensive. There is no penalty for attacking us now. We have to figure out a way to change that."

Cartwright deserves at least a tongue lashing for so publicly undermining a superior and a tutorial on the difficulty of determining with any certainty whom to punish when U.S. networks are attacked, writes Wayne Rash in eWeek.

Sorting out the complex issues and ambiguity that characterize the context for cyberspace rules of engagement is not easy. Back when many military leaders began their careers, defense experts divined an adversary’s intentions in part by counting tanks, planes and ships in satellite photos, and leaders could more easily assign culpability for an attack before weighing how to retaliate.

In the cyber arena, it is much more difficult to ascertain intentions and capabilities and, likewise, to define what constitutes an attack, how to retaliate if one happens, and whom and what to retaliate against (a hacker’s home, a government ministry building, a Web-hosting facility in another, uninvolved country?).

Hyperbole about cyber war doesn’t help clarify the discussion, writes James Lewis, a senior fellow at the Center for Strategic and International Studies. He said that despite the apparent abundance of state-sponsored hacking as judged from recent press accounts, “only by adopting an exceptionally elastic definition of cyberattack can we say they are frequent.” Nevertheless, Lewis said, defense officials are rightfully trying to better understand and plan for a world in which true cyberattacks will become more common.

There are also constitutional issues raised by the notion of the military routinely patrolling an environment used every day by the general public and businesses. Declan McCullagh, writing in CNet’s "Privacy Inc" blog, said concerns about the civil liberty implications of DOD's new cyber plan aren’t without some justification because the power to monitor civilian networks for bad behavior includes the ability to monitor them in general.

“The resolution of privacy concerns is likely to depend on the details, including whether the military merely provides recommendations to network operators in the private sector — or if it instead wants authority and oversight,” McCullagh writes.

If there were easy ways to secure cyberspace, the Pentagon probably could have nailed down many of the specifics years ago. Yet some experts say DOD’s new plan proposes many of the same difficult-to-achieve and still-unfulfilled solutions, such as building better public/private partnerships to secure critical infrastructure, writes Nancy Gohring for the IDG News Service.


The 5 pillars of cyber defense

The Defense Department’s new strategy for securing cyberspace is organized around five key initiatives:

  • Establish cyberspace as an operational domain — like air, sea, land and space — and organize, train and equip forces accordingly to perform cyber missions.
  • Adopt new operating concepts for networks, including active defenses that use sensors, software and signatures.
  • Partner with the private sector and other government agencies to protect critical infrastructure — particularly the Homeland Security Department, which is responsible for protecting civilian networks.
  • Strengthen collective cybersecurity in coordination with U.S. allies and other international partners.
  • Capitalize on the United States' technological and human resources through an exceptional cyber workforce and rapid technological innovation.

Source: "Department of Defense Strategy for Operating in Cyberspace," July 2011

About the Authors

Technology journalist Michael Hardy is a former FCW editor.

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Tue, Jul 26, 2011 Robert Rathbun Maryland

Wayne, How dare you state that "Cartwright deserves at least a tongue lashing for so publicly undermining a superior and a tutorial on the difficulty of determining with any certainty whom to punish when U.S. networks are attacked, writes Wayne Rash in eWeek." You clearly have no concept of the need for strong leadership in this area. Smart leaders would privately encourage the guy to tone it down, and also recognize the need for change here. Sitting on our butts and watching attacks hit our doorsteps is CLEARLY NOT AN OPTION. Wayne, perhaps you would rather see our nation drained of cash while outsiders electronically bankrupt us. Perhap Wayne never learned to play connect the dots in school; clearly Wayne fails to recognize the nation needs to take a STRONGER DEFENSIVE posture. Wayne, I put your statements into the classical LEADERSHIP FAILURE CATAGORIES since you lack the knowledge of what's really going on here. Are you really so ignorant to think our national debt was solely created by the government alone? If we fail to come across strong others will exploit our weakness. Wayne, out of the utmost respect, grow a spine and stand up for the Marine General who get's it. Robert Rathbun Cyber Architect U.S. Army Retired.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above