Marine General's Call for an Offensive Cyber-Security Strategy Dangerous

News Analysis: A Marine Corps general's attempt to short-circuit Deputy Defense Secretary William Lynn's cyber-security plans could result in disaster if adopted.

One of the things you see frequently here in Washington is infighting among senior members of the same department in the executive branch. What you don't see very often is a subordinate in the military chain of command trying his best to publicly derail a proposal put forth by a superior.

Usually the junior person ends up with a drastically shortened career. Hopefully that will be the case after Marine Gen. James Cartwright gets his justly deserved tongue lashing sometime this week.

What happened is that Cartwright called a press conference right before William Lynn, Deputy Secretary of the Department of Defense, released the Pentagon's cyber-security strategy. Part of that strategy is the U.S. Department of Defense's plan for protecting critical infrastructure.

Cartwright, vice chairman of the Joint Chiefs of Staff, said that the strategy was wrong, and that the U.S. military should be taking an offensive posture by making sure there are consequences for those who attack U.S. interests in cyberspace.

While I can understand where the general is coming from, it's not a very effective way to make your point by sandbagging your own department in advance of a policy announcement. This will surely have consequences for Cartwright. But will it end up having consequences for the rogue nations and terrorists who attack U.S. interests? Probably not.

The problem, first of all, is that it's nearly impossible to know exactly where a cyber-attack is coming from. Sure, you can probably track down the computers that make up the botnet that's being used to break into your military computers or your smart grid controllers, but that doesn't tell you anything. Neither does trying to track down an attack such as the worm that nearly took out a large number of U.S. Army computers a couple of years ago-a worm that apparently was delivered on a USB memory stick.

For that matter, nobody really has proved for sure where the Stuxnet worm that crippled Iran's nuclear projects actually came from. While there's a lot of speculation and one Israeli general claimed credit, you can't attack another nation on the basis of speculation and unverified claims. Before the U.S. military can attack another nation or a group of terrorists, or even a cohort of rogue hackers for that matter, it has to be assured that it's attacking the right place or the right person.

This is why the CIA and other intelligence agencies took months and spent millions of dollars before the Navy SEALS invaded Osama bin Laden's compound and killed him. Failing to make absolutely certain that you're attacking the right person or place has terrible consequences in its own right.