Even as the Department of Defense unveiled a cyber-security strategy, a senior military official said it was "way too predictable," and that the Pentagon needs to prepare offensive counter measures to deter cyber-attacks
Deputy Defense Secretary William Lynn July 14 released the Pentagon's "Strategy for Operating in Cyber-Space," outlining five "strategic initiatives" on how the military will operate online. The strategy focused on how the defense department will defend its networks and those of key infrastructure from cyber-attacks, said Marine General James Cartwright, vice chairman of the Joint Chiefs of Staff, in a press briefing just before Lynn's speech at the National Defense University, Washington, D.C.
The Pentagon needs to talk about stronger offensive measures in the "next iteration" of the strategy that would deter intrusions, Cartwright said. Under the current strategy, there are no penalties for adversaries that launch cyber-attacks against the United States.
The Pentagon needs to say "to the attacker, 'If you do this, the price to you is going to go up, and it's going to ever escalate,'" Cartwright said.
American military officials were devoting nearly 90 percent of their attention toward building better firewalls and only 10 percent on ways to deter cyber-attackers from launching attacks in the first place. While this is a great situation for government contractors looking for lucrative contracts, it is not sustainable, Cartwright said. A better strategy would be the reverse, with military officials focused on the offense.
"If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy," Cartwright said.
The defensive mentality is also more expensive for the country, Cartwright said, noting malware developers spend "a couple hundred dollars to build a virus" and the government racks up "millions" in expensive defensive measures every year.
In the latest plan, the Pentagon sidestepped the question of whether federal agencies like the Defense Department, Department of Homeland Security or other intelligence agencies could conduct their own offensive cyber-attacks against both internal and external threats. Cartwright said he wasn't referring to "kinetic" action, such as lethal combat force, against cyber-attackers, but that there should be some form of retaliation.
Much of the discussion on offensive and defensive tactics at the U.S. Cyber Command, the Pentagon's cyber-security organization, is still theoretical as there have been no large-scale attacks aimed at knocking out government computer networks or essential national infrastructure, such as power grids or transportation networks.
"Trying to solve this in the abstract is difficult," Cartwright said. The Department of Defense has a series of pilot programs with defense contractors to ensure sensitive documents are secured properly, he said.
The main difficulty in launching a retaliatory cyber-attack is determining the target. It's easy for online assailants to mask their identity and to hide other information such as the geographic location from where the attack originated.
There are also some fundamental disagreements on what legal precedents would govern U.S. actions as well as which federal agency would be in charge. "How do you do it in such a way [with] the checks and balances between cabinet agencies that we have today? That has been a lot harder struggle," Cartwright said.
All the agencies want a piece of the action and all the discussion on "who is going to be in charge" has slowed down any meaningful progress on cyber-security, Major General John Casciano, a retired Air Force general who is now an adviser on government security issues at RedSeal Systems, told eWEEK.
He likened the current situation to a soccer team of six years olds where "everyone's trying to get his foot on the ball." As the players grow up, they understand their position on the field and cooperate, acting more like a team. The government agencies haven't gotten to that point of awareness yet, Casciano said.
"We keep saying the same old things, senior officials are giving the same old briefings and we are not further along solving the problem," Casciano said.