It’s gotten very little coverage in the media, but the Pentagon and Department of Homeland Security tried last week to fix one of the biggest gaps in cyber protection for the United States by trying to ensure coverage of both military and government web sites. That is part of a wider push by the Defense Department to come up with a bona fide strategy for coping with the rising tide of cyber attacks by governments and enterprising hackers.
Robert Butler, deputy assistant defense secretary for cyber policy, told reporters this morning that a new national defense strategy for cyberspace operations should be in place before the end of the year.
In Deputy Defense Secretary Bill Lynn's seminal article in Foreign Affairs about cyber, he described the outlines of such a strategy: "The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyber defense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run the United States' critical infrastructure; to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyber defense capabilities."
Butler brushed aside reporters' questions about the fascinating policy debate about the very basic questions about what constitutes an act of war in the cyber commons and how the US should respond. The national security community is pushing hard, he said, to figure out ways to do what is needed to protect commercial, government and military networks and how to manage such attacks instead of saying, this constitutes the circumstances that would elevate a cyber attack to an act of war.
While the national security establishment continues to be flummoxed by how to answer, it is beginning to find ways around the traditional separation between military functions – directed against threats that reside outside the United States – and domestic security directed against threats that come from within our borders. Unfortunately, cyber threats can be directed against U.S. military targets and U.S. government or commercial assets at the same time and it can be almost impossible to tell where they are coming from, let alone who is directing the attack.
I asked Butler when the military was going to come up with answers to the problem of attribution and how they would do it, and he basically said it's really complicated, hard to do and requires a great deal of analytic effort, along with some technology.
He also declined to address the question of whether and how the United States would launch an offensive cyber attack.
Much of the Pentagon's focus, judging by Butler's comments and Lynn's article, is on defense and the key questions of operational security. So it makes sense that the memo signed last week by the secretary of Homeland Security, Janet Napolitano, and Defense Secretary Robert Gates allows DHS cyber experts to be posted at the National Security Agency, which provides most of the military cyber manpower. And Napolitano stressed that the agreement between the two agencies “furthers our strong commitment to protecting civil liberties and privacy.”
Another part of that approach is to build self-contained mini-Internets for critical infrastructure such as electrical grids, nuclear plants, water and sewer plants. This would help prevent attacks by wonderful code such as Stuxnet, designed to cripple Supervisory Control And Data Acquisition systems used to control and monitor industrial processes (particularly those used by Iranian nuclear plants). The catchy domain name would be dotsecure.