DOD cyber defense plan draws fire

In announcing its latest plan to improve the security of military and related mission-critical networks in the public and private sectors, the Defense Department dutifully acknowledged once again that cyberspace is a new domain in which it must defend the United States and its vital interests.

But cyberspace is unlike any other battlefield the Pentagon has encountered before, and the military is clearly struggling to develop operational ground rules for this complicated new domain where the lines are often fuzzy between DOD and civilian activities, war and peace, and the good guys and the bad guys.

The difficulty of the task for DOD officials is evident in just how messy and prone to criticism the process of creating a cybersecurity policy has become. However, there is little doubt that a strategy is crucial. At the July 14 press conference for the plan’s unveiling, Deputy Secretary of Defense William Lynn also disclosed that in March, a “foreign intruder” was able to steal 24,000 files pertaining to cutting-edge weapons systems from the network of a defense contractor.

As an illustration of the messiness, the vice chairman of the Joint Chiefs of Staff, Marine Gen. James Cartwright, made the unusual move of publicly criticizing the plan’s defensive orientation hours before Lynn officially released it.

"We’re on a path that is too predictable, way too predictable," Cartwright told reporters. "It’s purely defensive. There is no penalty for attacking us now. We have to figure out a way to change that."

Cartwright deserves at least a tongue lashing for so publicly undermining a superior and a tutorial on the difficulty of determining with any certainty whom to punish when U.S. networks are attacked, writes Wayne Rash in eWeek.

Sorting out the complex issues and ambiguity that characterize the context for cyberspace rules of engagement is not easy. Back when many military leaders began their careers, defense experts divined an adversary’s intentions in part by counting tanks, planes and ships in satellite photos, and leaders could more easily assign culpability for an attack before weighing how to retaliate.

In the cyber arena, it is much more difficult to ascertain intentions and capabilities and, likewise, to define what constitutes an attack, how to retaliate if one happens, and whom and what to retaliate against (a hacker’s home, a government ministry building, a Web-hosting facility in another, uninvolved country?).

Hyperbole about cyber war doesn’t help clarify the discussion, writes James Lewis, a senior fellow at the Center for Strategic and International Studies. He said that despite the apparent abundance of state-sponsored hacking as judged from recent press accounts, “only by adopting an exceptionally elastic definition of cyberattack can we say they are frequent.” Nevertheless, Lewis said, defense officials are rightfully trying to better understand and plan for a world in which true cyberattacks will become more common.

There are also constitutional issues raised by the notion of the military routinely patrolling an environment used every day by the general public and businesses. Declan McCullagh, writing in CNet’s "Privacy Inc" blog, said concerns about the civil liberty implications of DOD's new cyber plan aren’t without some justification because the power to monitor civilian networks for bad behavior includes the ability to monitor them in general.

“The resolution of privacy concerns is likely to depend on the details, including whether the military merely provides recommendations to network operators in the private sector — or if it instead wants authority and oversight,” McCullagh writes.

If there were easy ways to secure cyberspace, the Pentagon probably could have nailed down many of the specifics years ago. Yet some experts say DOD’s new plan proposes many of the same difficult-to-achieve and still-unfulfilled solutions, such as building better public/private partnerships to secure critical infrastructure, writes Nancy Gohring for the IDG News Service.

The 5 pillars of cyber defense

The Defense Department’s new strategy for securing cyberspace is organized around five key initiatives:

• Establish cyberspace as an operational domain — like air, sea, land and space — and organize, train and equip forces accordingly to perform cyber missions.
  
• Adopt new operating concepts for networks, including active defenses that use sensors, software and signatures.
  
• Partner with the private sector and other government agencies to protect critical infrastructure — particularly the Homeland Security Department, which is responsible for protecting civilian networks.
  
• Strengthen collective cybersecurity in coordination with U.S. allies and other international partners.
  
• Capitalize on the United States' technological and human resources through an exceptional cyber workforce and rapid technological innovation.

Source: "Department of Defense Strategy for Operating in Cyberspace," July 2011