DOD struggles to define cyber war

Efforts hampered by lack of agreement on meaning

As the Defense Department puts its new Cyber Command in place to defend the military information infrastructure, it also is wrestling with the nontechnical issues of defining cyber war and establishing a doctrine for cyber warfare, a top Pentagon cyber policy adviser said Wednesday.

James Miller, DOD principal deputy undersecretary for policy, pondered how the law of armed conflict applies to cyber war.

“It’s clear that it does," he said, speaking in an Ogilvy Exchange national security lecture in Washington, But the military still has to establish what an act of aggression or an act of war looks like in cyberspace and decide on the rules for responding — both digitally and physically — when the line between hacking and warfare is crossed, he said.

“We have a lot of efforts underway,” Miller said. “We are trying to bring all of this together into a coherent strategy” that will begin coming out in the next few months. He said there will not be a simple one-sentence definition of what constitutes cybe rwar, but that it will be an evolving concept based on history and on likely scenarios.

“It is clear there is a lot of cyber espionage where data is being pulled," Miller said. "But we understand that not everything that happens in cyberspace is an act of war.”

Miller reminded the audience of the usual statistics about the scope of the threat facing a net-centric DOD: 15,000 DOD networks with 7 million devices at 4,000 installations in 88 countries, all being scanned and probed millions of times a day. More than 100 foreign intelligence organizations are trying to access the systems and foreign militaries are developing the ability to attack and disrupt the systems that already are being penetrated by hackers and criminals.

“The cyber threat has outpaced our ability to defend against it,” he said. “We still are learning” the extent of our dependency on these networks and the scope of the threats against them. “We still see significant gaps and vulnerabilities. We don’t fully understand them, but we’re learning.”

The greatest threat to DOD systems so far has been the theft of sensitive data, he said. But the military also has to defend against disruption and degradation of the systems it is increasingly dependent on.

To date, defensive efforts have been spread between at least a half-dozen different organizations, including the Defense Information Systems Agency; the National Security Agency; and individual service commands in the Army, Air Force and Navy.

“We are spread too thin, geographically and institutionally,” Miller said. But that is changing with this week’s confirmation of NSA Director Keith Alexander, who was given a fourth star to also head the Cyber Command.

“We are headed into a new era,” Miller said. The new command will consolidate current resources, although each service will have primary responsibility for protecting its own networks. It will have three primary missions: defense of military networks, support of military and counterterrorism operations, and support of civilian agency and industry partners as needed.


Related stories:

How can we be at cyberwar if we don't know what it is? 

Senate confirms NSA chief as head of Pentagon's new Cyber Command


“There are legal and policy questions we are attempting to address,” Miller said. “It’s not a bright red line. There are a lot of gray areas.”

Effective defense also requires integrating intelligence and offensive capabilities, because attacks and attackers must first be identified to defend against them, Miller said. This point was echoed by Navy Department Chief Information Officer Robert Carey, who said at a separate event Tuesday that DOD needed to build up its cyberattack skills.

“If you know how to attack, you can defend pretty well,” Carey said. “We currently are developing people only as defenders. That mindset has to change.”

Both Miller and Carey also said that simply throwing money at the cyber problems is not an option.

“We are not going to buy out way out of this challenge,” Miller said.

Carey and Miller also lamented the slow pace of the federal budget process. A sophisticated device -- Miller used the iPhone as an example -- can be developed in less time than it takes DOD to create a budget for an IT system.

Carey said that even with a $7.6 billion IT budget, the Navy’s cyber defense has to be cost-effective and make a business case for dollars. Tanks, airplanes and ships still play out better on than do Hill than cyber issues.

“Our cyber guys would love to have the money [currently] being spent on a destroyer,” Carey said. “But that’s not going to happen.”

 

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1996, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Fri, May 14, 2010 oracle2world

Where can I get a job defining cyber war? I figure it might take a couple of arduous years of study to come up with one. Maybe something like the threat level colors.

Thu, May 13, 2010 Kevin Dayton

Let's not forget the DDR&E Software Protection Initiative, the DoD's Office of Primary Responsibility (OPR) to protect software (intellectual property, data, applications) in the cyber-domain, chartered in 2001. SPI has researched and developed dozens of cyber-defense technologies, solving such tough problems as secure teleworking, ultra-safe Internet browsing fromw/in the NIPRNet, simple file encryption, protection of code form concept to implementation (Google could have used us), and theft-proof applications. SPI’s novel 3 Tenets methodology results in far more secure systems, aimed to mitigate nation-state class threats that own the hardware and root access. See spi.dod.mil

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group