DOD struggles to define cyber war

Efforts hampered by lack of agreement on meaning

As the Defense Department puts its new Cyber Command in place to defend the military information infrastructure, it also is wrestling with the nontechnical issues of defining cyber war and establishing a doctrine for cyber warfare, a top Pentagon cyber policy adviser said Wednesday.

James Miller, DOD principal deputy undersecretary for policy, pondered how the law of armed conflict applies to cyber war.

“It’s clear that it does," he said, speaking in an Ogilvy Exchange national security lecture in Washington, But the military still has to establish what an act of aggression or an act of war looks like in cyberspace and decide on the rules for responding — both digitally and physically — when the line between hacking and warfare is crossed, he said.

“We have a lot of efforts underway,” Miller said. “We are trying to bring all of this together into a coherent strategy” that will begin coming out in the next few months. He said there will not be a simple one-sentence definition of what constitutes cybe rwar, but that it will be an evolving concept based on history and on likely scenarios.

“It is clear there is a lot of cyber espionage where data is being pulled," Miller said. "But we understand that not everything that happens in cyberspace is an act of war.”

Miller reminded the audience of the usual statistics about the scope of the threat facing a net-centric DOD: 15,000 DOD networks with 7 million devices at 4,000 installations in 88 countries, all being scanned and probed millions of times a day. More than 100 foreign intelligence organizations are trying to access the systems and foreign militaries are developing the ability to attack and disrupt the systems that already are being penetrated by hackers and criminals.

“The cyber threat has outpaced our ability to defend against it,” he said. “We still are learning” the extent of our dependency on these networks and the scope of the threats against them. “We still see significant gaps and vulnerabilities. We don’t fully understand them, but we’re learning.”

The greatest threat to DOD systems so far has been the theft of sensitive data, he said. But the military also has to defend against disruption and degradation of the systems it is increasingly dependent on.

To date, defensive efforts have been spread between at least a half-dozen different organizations, including the Defense Information Systems Agency; the National Security Agency; and individual service commands in the Army, Air Force and Navy.

“We are spread too thin, geographically and institutionally,” Miller said. But that is changing with this week’s confirmation of NSA Director Keith Alexander, who was given a fourth star to also head the Cyber Command.

“We are headed into a new era,” Miller said. The new command will consolidate current resources, although each service will have primary responsibility for protecting its own networks. It will have three primary missions: defense of military networks, support of military and counterterrorism operations, and support of civilian agency and industry partners as needed.


Related stories:

How can we be at cyberwar if we don't know what it is? 

Senate confirms NSA chief as head of Pentagon's new Cyber Command


“There are legal and policy questions we are attempting to address,” Miller said. “It’s not a bright red line. There are a lot of gray areas.”

Effective defense also requires integrating intelligence and offensive capabilities, because attacks and attackers must first be identified to defend against them, Miller said. This point was echoed by Navy Department Chief Information Officer Robert Carey, who said at a separate event Tuesday that DOD needed to build up its cyberattack skills.

“If you know how to attack, you can defend pretty well,” Carey said. “We currently are developing people only as defenders. That mindset has to change.”

Both Miller and Carey also said that simply throwing money at the cyber problems is not an option.

“We are not going to buy out way out of this challenge,” Miller said.

Carey and Miller also lamented the slow pace of the federal budget process. A sophisticated device -- Miller used the iPhone as an example -- can be developed in less time than it takes DOD to create a budget for an IT system.

Carey said that even with a $7.6 billion IT budget, the Navy’s cyber defense has to be cost-effective and make a business case for dollars. Tanks, airplanes and ships still play out better on than do Hill than cyber issues.

“Our cyber guys would love to have the money [currently] being spent on a destroyer,” Carey said. “But that’s not going to happen.”

 

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Fri, May 14, 2010 oracle2world

Where can I get a job defining cyber war? I figure it might take a couple of arduous years of study to come up with one. Maybe something like the threat level colors.

Thu, May 13, 2010 Kevin Dayton

Let's not forget the DDR&E Software Protection Initiative, the DoD's Office of Primary Responsibility (OPR) to protect software (intellectual property, data, applications) in the cyber-domain, chartered in 2001. SPI has researched and developed dozens of cyber-defense technologies, solving such tough problems as secure teleworking, ultra-safe Internet browsing fromw/in the NIPRNet, simple file encryption, protection of code form concept to implementation (Google could have used us), and theft-proof applications. SPI’s novel 3 Tenets methodology results in far more secure systems, aimed to mitigate nation-state class threats that own the hardware and root access. See spi.dod.mil

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group