The Pentagon's cyberstrategy, one year later
An attendee looks at an Asus Eee Slate EP121 tabelet at the 2011 International Consumer Electronics Show. (Getty Images)
October 3rd, 2011
03:57 PM ET

The Pentagon's cyberstrategy, one year later

Editor's Note: William J. Lynn III is U.S. Deputy Secretary of Defense.

By William J. Lynn III, Foreign Affairs

For almost all of human history, man has waged war on land and at sea. Air and space emerged as potential battlefields only in the past few generations. Now, the danger of cyberwarfare rivals that of traditional war. The advent of more destructive technologies - and of their inevitable proliferation among actors willing to use them - means that the United States must strengthen its critical national networks against ever worse threats.

In "Defending a New Domain" (September/October 2010), I announced that the Pentagon had officially recognized cyberspace as an operational domain and went on to describe the military's cyberstrategy. One year later, U.S. military networks are better defended, the U.S. Cyber Command is fully operational, and we have made progress working with private industry to secure critical infrastructure. Meanwhile, the Obama administration has committed half a billion dollars to develop advanced defensive technologies, including novel approaches to improving network security. But much remains to be done, and the window for doing it is short.

CYBERCONFLICT

Our assessment is that cyberattacks will be a significant component of future conflicts. Over thirty countries are creating cyber units in their militaries. It is unrealistic to believe that each one will limit its capabilities to defense. Moreover, the centrality of information technology to the U.S. military and society virtually guarantees that future adversaries will target it.

Putin's Return and Washington's Reset With Russia

The United States is now in the midst of a strategic shift in the cyberthreat. Until now, intrusions have largely been for the purpose of exploitation: stealing intellectual property from commercial networks or spying on the government. There have also been disruptive cyberattacks, for example on Estonia, in 2007, and Georgia, in 2008. In a development of extraordinary importance, cyber technologies now exist that are capable of destroying critical networks, causing physical damage, or altering the performance of key systems. In the twenty-first century, bits and bytes are as threatening as bullets and bombs.

The cyberthreat is also intensifying in a second direction: toxic technologies are proliferating among actors willing to use them. At present, sophisticated cyber capabilities reside almost exclusively in the hands of advanced nation states. For them, U.S. power - both military and cyber - is a strong deterrent. Although attribution of a cyberattack is difficult, the risk of discovery is likely too great for a major nation to mount a major attack. But circumstances can change. The United States must guard against the possibility of a future adversary who is not deterred from launching a cyberstrike.

Terrorist groups and rogue states must be considered separately. With few assets the United States can hold at risk, they are more willing to provoke. To advance their radical agendas, they are intent on acquiring, refining, and expanding their cyber capabilities. A burgeoning market for cybercrime services, with settled price lists for botnet rentals and denial-of-service attacks, already exists in the murky underworld of organized crime. If a terrorist group does obtain destructive cyberweapons, it could strike with little hesitation. Faced with these threats, the United States must guard against both a cyber Pearl Harbor, as Secretary of Defense Leon Panetta has warned, and the possibility of a cyber 9/11. Indeed, Panetta recently noted how the disruptive effects of a cyberattack may well be worse than 9/11 and Pearl Harbor combined.

In short, more destructive tools are being created every day, but have not been widely used. Similarly, the most malicious actors have not yet obtained the most harmful technologies. But this situation will not hold forever. There will eventually be a marriage of capability and intent, where those who mean to harm the United States will gain the ability to launch a damaging attack. The United States must develop stronger defenses before this occurs.

To meet this growing threat, the Department of Defense developed a strategy for operating in cyberspace that has five pillars: treating cyberspace as an operational domain, like land, air, sea, and outer space; employing active defenses to stop malicious code before it affects our networks; protecting commercial networks that operate the critical infrastructure that our military relies upon; joining with allies to mount a collective cyberdefense; and mobilizing industry to redesign network technology with security in mind. (The strategy is available at www.defense.gov/cyber.)

CRITICAL INFRASTRUCTURE

Extending advanced cyberdefenses to critical infrastructure is one of the strategy's most crucial objectives. Cyber intrusions have been directed at nearly every sector of our economy. Victims include the IMF, Citibank, Sony's PlayStation network, the secure data provider RSA, Google, and NASDAQ. The United States' critical infrastructure has also been probed. Because much of this infrastructure supports military operations, its failure could compromise national defense. Ninety percent of U.S. military voice and Internet communications, for example, travel over the same private networks that service private homes and offices. The U.S. military relies on the civilian transportation system to move its personnel and freight, on commercial refineries to provide its fuel, and on the financial industry to process its payments. Ensuring the integrity of the networks that undergird critical infrastructure must therefore be a part of the United States' cyberstrategy.

The Department of Homeland Security has the primary responsibility for protecting U.S. critical infrastructure. In the past year, the Defense Department and DHS have agreed to coordinate cybersecurity efforts, established a joint planning capability, and have exchanged cyber personnel. The Defense Department is also helping DHS deploy advanced defensive technologies on networks in the .gov domain.

How the Haqqani Network is Expanding From Waziristan

Partnering with DHS carries the long-standing tradition of military support for civilian authorities into the cyber domain. During a natural disaster, such as a hurricane, FEMA often uses military troops and helicopters to help deliver relief. Similarly, the military's cyber capabilities will be available to civilian leaders to help protect the networks that support government operations and critical infrastructure. At all times, these resources will be under civilian control and used according to civil laws.

DIB CYBER PILOT

Within critical infrastructure, the private defense companies that build the equipment and technology the U.S. military uses are especially important to protect. Their networks hold valuable information about U.S. weapons systems and their capabilities. Alarmingly, foreign intruders have already extracted terabytes of data from defense industry networks in recent years. In a single intrusion in March, 24,000 files were taken. Some of the data stolen during this and other attacks is mundane, but a great deal concerns the United States' most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.

Current countermeasures have not stopped this outflow of sensitive information. In response, the Department of Defense, in partnership with DHS and a handful of defense companies, has established a pilot program to provide more robust protection for private networks. In the Defense Industrial Base (DIB) Cyber Pilot, the government shares classified threat intelligence with private companies or their Internet service providers. The intelligence is then integrated into companies' own network defenses. Because it builds off commercial technologies, the DIB Cyber Pilot provides additional protection for only an incremental increase in cost.

Moreover, the project does not entail U.S. government monitoring, intercepting, or storing of private sector communications, and it is voluntary for all participants.

The Defense Department is only beginning to evaluate the pilot's effectiveness, but it has already stopped hundreds of intrusions at participating industry partners. Building off this initial success, the Department is hoping to expand the pilot to more defense companies. The Pentagon is also working with the White House and the Department of Homeland Security to evaluate applying the concept to other critical infrastructure sectors. With intrusions over the last year into the networks of the financial sector, of transportation networks, of a national laboratory run by the Department of Energy, and even of top-notch cybersecurity firms, there is much left to do. But by establishing a lawful and effective framework for the government to help the operators of critical infrastructure defend their networks, the DIB Cyber Pilot will provide a means to measurably enhance the security of the nation.

DEFENDING CYBERSPACE RESPONSIBLY

The steps the Pentagon has taken to respond to the cyberthreat have prompted discussion about cyberwar and its implications. Commentators have asked whether and how the United States would respond militarily to attacks on its networks. Some are concerned that cyberspace is at risk of becoming militarized. The concern here, as in other areas, is that the measures put in place to prevent hostile actions will negate the very benefits of cyberspace the government seeks to protect. The Department of Defense has designed its cyberstrategy to address this concern. We need to ensure that a domain overwhelmingly used by civilians and for peaceful purposes is not fundamentally altered by the military's efforts to defend it.

Overturning Lee Kuan Yew's Legacy in Singapore 

It should come as no surprise that the United States is prepared to defend itself in all domains. It would be irresponsible, and a failure of the Defense Department's mission, to leave the nation vulnerable to a known threat. Just as the military defends against hostile acts from land, air, and sea, it must also be prepared to respond to hostile acts in cyberspace. Accordingly, the United States reserves the right, under the law of armed conflict, to respond to serious cyberattacks with an appropriate, proportional, and justified military response.

The ability to identify and respond to a serious cyberattack, however, is only part of U.S. strategy. The focus on building robust defenses aims to changeadversaries' incentives in a more fundamental way. If the United States increases the resources needed to mount a successful attack, minimizes the impact of attacks when they do occur, and quickly attributes them to their sources, it may be able to change a potential attacker's decision calculus.

Far from militarizing cyberspace, U.S. cyberstrategy will make it more difficult for military actors to use cyberspace for hostile purposes. Indeed, establishing robust cyberdefenses no more militarizes cyberspace than having a navy militarizes the ocean. This commitment to peace through preventive defense is at the heart of the Pentagon's cyberstrategy and the administration's overall approach to cyberspace.

The views expressed in this article are solely those of William J. Lynn III.

Post by:
Topics: Global • Intelligence • Internet • Politics • United States

soundoff (9 Responses)
  1. Douglas Kohn

    Dear Mr. Zakaria,
    Before I begin, I would like you to know I greatly admire your work in general and your television program GPS. It is always fascinating. Yesterday you had as a guest Hina Rabbani Khar, Foreign Minister of Pakistan. Though you did not let her get away with saying that Pakistan still has a blasphemy law that is actually enforced, she seemed to think that the best excuse for Pakistan having one is that "Iceland has one too." Can this woman, or any other member of the Pakistani government really take themselves seriously after a comment like that? When was the last time Iceland enforced a blasphemy ruling? Many countries have unenforced and dead laws on their books dating back hundreds of years. Thank you again for your work in the fields of geopolitics and economics I will be a loyal viewer as long as you are on the air.

    Regards,
    Douglas Kohn (New York, NY)

    October 3, 2011 at 4:02 pm | Reply
  2. Onesmallvoice

    What a letdown this is!!! Now the right-wing thugs in Washington have found another place to throw away our hard earned tax money. This country is already vastly overdefended and will be more and more that way. Besides, we already have enough firepower to destroy the rest of the world at least 20 or 30 times over! What a waste of money!!!

    October 3, 2011 at 4:20 pm | Reply
    • Matt

      Very well said Onesmallvoice, and so very true too. Thank you.

      October 3, 2011 at 7:22 pm | Reply
    • IT Guy

      I don't think you realize the danger here. Computer networks in the US are vastly under protected (see the recent Sony scandals). Most of the infrastructure of the US is attached to a computer network and starting a cyber defense system is a very logical and responsible thing to do.

      October 31, 2011 at 7:15 pm | Reply
  3. David

    Except that if we leave cyberspace open to attacks, the "press this to destroy the world 20 times" button might not work. Or it might be used against us. I agree that we can't afford even more military spending, but in modern times it seems like a good idea to shift from buying another aircraft carrier that we don't need to some km of fiber optics for exclusive military use.

    October 3, 2011 at 5:20 pm | Reply
  4. j. von hettlingen

    Indeed the destruction of a cyberwar would be more devastating than the aftermath of Hiroshima bombing! It just shows how vulnerable mankind is!

    October 4, 2011 at 8:28 am | Reply
  5. PJ

    Oh YEAH! The FBI spent HOW much on an e-mail (YES- E-MAIL) system that doesn't work?!!!! Foggy Bottom: "Hey! DUDE! we're getting a system upgrade!" Bottom Foggy: "Yeah?! Groovy! What. Up?" Foggy Bottom: Windows 98!!!
    Bottom Foggy: "Rock on, Wayward dude!" Foggy Bottom: "Yeah. They're on the run now... Master Blaster! Wooo!"

    October 6, 2011 at 8:51 am | Reply
  6. readr1fav

    Cyber security should definitely be a high priority. I am confident in this country's abilities of planning far in advance. Regards.

    February 25, 2013 at 3:54 am | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Follow

Get every new post delivered to your Inbox.

Join 4,792 other followers