The Department of Defense needs to be thinking about retaliation and deterrence to prevent attacks against United States cyber-space in the first place, Marine General James Cartwright said.
Even as the
Department of Defense unveiled a cyber-security strategy, a senior military
official said it was "way too predictable," and that the Pentagon
needs to prepare offensive counter measures to deter cyber-attacks
Secretary William Lynn July 14 released the Pentagon's "Strategy for Operating in Cyber-Space
outlining five "strategic initiatives" on how the military will
operate online. The strategy focused on how the defense department will defend
its networks and those of key infrastructure from cyber-attacks, said Marine
General James Cartwright, vice chairman of the Joint Chiefs of Staff, in a
press briefing just before Lynn's speech at the National Defense University,
needs to talk about stronger offensive measures in the "next
iteration" of the strategy that would deter intrusions, Cartwright said.
Under the current strategy, there are no penalties for adversaries that launch
cyber-attacks against the United States.
needs to say "to the attacker, 'If you do this, the price to you is going
to go up, and it's going to ever escalate,'" Cartwright said.
officials were devoting nearly 90 percent of their attention toward building
better firewalls and only 10 percent on ways to deter cyber-attackers from
launching attacks in the first place. While this is a great situation for
government contractors looking for lucrative contracts, it is not sustainable,
Cartwright said. A better strategy would be the reverse, with military
officials focused on the offense.
OK to attack me and I'm not going to do anything other than improve my defenses
every time you attack me, it's very difficult to come up with a deterrent
strategy," Cartwright said.
mentality is also more expensive for the country, Cartwright said, noting
malware developers spend "a couple hundred dollars to build a virus"
and the government racks up "millions" in expensive defensive
measures every year.
In the latest plan,
the Pentagon sidestepped the question of whether federal agencies like the
Defense Department, Department of Homeland Security or other intelligence
agencies could conduct their own offensive cyber-attacks
against both internal and
external threats. Cartwright said he wasn't referring to "kinetic"
action, such as lethal combat force, against cyber-attackers, but that there
should be some form of retaliation.
Much of the
discussion on offensive and defensive tactics at the U.S. Cyber Command, the
Pentagon's cyber-security organization, is still theoretical as there have been
no large-scale attacks aimed at knocking out government computer networks or
essential national infrastructure, such as power grids or transportation
solve this in the abstract is difficult," Cartwright said. The Department of
Defense has a series of pilot programs with defense contractors to ensure
sensitive documents are secured properly, he said.
difficulty in launching a retaliatory cyber-attack is determining the target.
It's easy for online assailants to mask their identity and to hide other
information such as the geographic location from where the attack originated.
There are also
some fundamental disagreements on what legal precedents would govern U.S.
actions as well as which federal agency would be in charge. "How do you do it
in such a way [with] the checks and balances between cabinet agencies that we
have today? That has been a lot harder struggle," Cartwright said.
agencies want a piece of the action and all the discussion on "who is
going to be in charge" has slowed down any meaningful progress on
cyber-security, Major General John Casciano, a retired Air Force general who is
now an adviser on government security issues at RedSeal Systems, told eWEEK.
He likened the
current situation to a soccer team of six years olds where "everyone's
trying to get his foot on the ball." As the players grow up, they
understand their position on the field and cooperate, acting more like a team.
The government agencies haven't gotten to that point of awareness yet, Casciano
saying the same old things, senior officials are giving the same old briefings
and we are not further along solving the problem," Casciano said.