Report: Allow cyberwar response
- By Bob Brewin
- Mar 28, 1999
The Pentagon's policy of prohibiting the Defense Department from mounting a counter cyberattack if its computers are attacked puts the military at risk, according to a report released last week.
DOD's "purely passive" approach to protecting its information systems from cyberattacks could result in "severe consequences for U.S. military capabilities," according to the report, issued by the National Research Council. The NRC suggested that the Pentagon advocate changes in national policy that would allow U.S. military forces to respond to such attacks with so-called cyber-retaliation.
The NRC report, which includes a review of DOD command, control, communications, computer and information systems policies and practices, added weight to recent statements by top Pentagon officials that attacks against DOD information systems that are critical to a new doctrine of information-based warfare continue to escalate while the agency's information-defense efforts lag.
"DOD is in an increasingly compromised position," concludes the report, which Congress mandated in 1996. "The rate at which information systems are being relied on outstrips the rate at which they are being protected.... The time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to mount an attack."
James McGroddy, retired senior vice president of research for IBM Corp. and chairman of the NRC committee that prepared the report, said the United States has come to rely on "computing and communications technology to multiply the effectiveness of our fighting forces, [but that] enhancing the nervous system that levels the muscle side of the military comes with the challenge of ensuring that we do not increase the vulnerability of information warfare attacks."
Simply protecting information systems from attack - the Pentagon's current position - may not work in the future, the report said. It urged Secretary of Defense William Cohen to "take the lead in explaining the severe consequences for U.S. military capabilities that arise from a purely passive defense of its C4I infrastructure and in exploring policy options to these challenges."
Under current policies, DOD can only track cyberattacks. When a cyberattack is discovered, DOD must transfer the responsibility of prosecuting offenders to civilian law enforcement agencies.
Although the report said the "notion of cyber-retaliation raises many legal and policy issues," it urged Pentagon leadership "to review the legal limits in its ability to defend itself and its C4I infrastructure from attack.... [Then DOD] should take the lead in advocating changes in national policy (including legislation, if necessary) that amend the rules of engagement specifying the circumstances under which force [would be] an appropriate response to a cyberattack."
Retired Lt. Gen. Carl O'Berry, former Air Force deputy chief of staff for C4I and a member of the NRC committee, said, "We debated [the cyberattack recommendation]. We have foes with unlimited opportunities to attack while we maintain a defensive crouch [at a time] when some people think we are in a cyberwar."
One such person is Rep. Curt Weldon (R-Pa.), who held a classified hearing covering cyberattacks on DOD systems and recently said that the United States was "at war" because DOD computers were under a "coordinated, organized" attack.
John Pike, an analyst with the Federation of American Scientists, said the call for cyber-retaliation, if acted on, would mark a real change for DOD. But, he added, "Does this mean the Pentagon will then start frying the home PCs of American teen-age hackers?"
The NCR report also zeroed in on the philosophical and doctrinal underpinnings of the new information-based warfare planning document: The Joint Chiefs of Staff Joint Vision 2010. The NCR report called Joint Vision 2010 "compelling but unrealized, because it is not yet known how to exploit information technology across the full spectrum of operations."
The report added that if the Joint Chiefs believe in, and want to capitalize on, IT, they will have to realign spending priorities. "Realizing the benefits of new C4I technologies may well require trade-offs between C4I systems acquisition and other force investments.... DOD's goal must be improved military effectiveness, not simply improved capabilities."
O'Berry said that "most of [the NRC panel] believed that technology is not the limiter for JV 2010.... It's the acquisition cycle.''
O'Berry said that if the Pentagon wants to gain the information advantage, it must free IT acquisition from a system designed "to buy weapons in a 10- to 15-year cycle.... We've got to find a way to separate the business of information systems acquisition from weapons systems acquisition."