The U.S. military will work with private companies to protect critical infrastructure, a senior Department of Defense official told an audience at theNational Defense University in Washington July 14.
During his speech, Deputy Secretary of Defense William Lynn said that U.S. military systems have been repeatedly attacked by foreign interests looking for information on technology, from nuclear weapons to drone aircraft. Lynn also pointed out that civilian companies that support the defense effort are being attacked and he gave as an example one contractor thatlost 24,000 sensitive documents to a foreign government in March.
But Lynn also said that there’s a significant threat to more basic critical infrastructure, such aspower companies, transportation and financial services. He noted that nearly all the power used by military bases comes from civilian power companies and that the military depends on the banking system and on the transportation system.
“The country’scritical infrastructure has also been probed,” Lynn said. “Because much of this critical infrastructure supports military operations, its failure could compromise our abilities to protect the nation. Our military bases and installations are part of-not separate from-the critical infrastructure on which all Americans depend.
“Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources,” Lynn said. “Ninety percent of U.S. military voice and Internet communications travel over the same private networks that service homes and offices. We also rely on the transportation system to move military personnel and freight, on commercial refineries to provide fuel, and on the financial industry to process our payments.”
Lynn revealed that the NDU Web site had been hacked and its server taken over by hostile forces briefly, and he said that the threat is growing daily. But Lynn also referred to criticism in the past that protecting critical infrastructure could also mean gathering private information, at least in the case of protecting financial institutions. Lynn said that the military had no interest in gathering such information.
Lynn said that with this in mind, the military was launching a new protection method for critical networks called the Defense Industrial Base (DIB) Cyber Pilot. He said that the DIB Cyber Pilot is a means of sharing classified threat intelligence with defense contractors and ISPs, along with information on how to deploy the information.
“In the DIB Cyber Pilot, the U.S. government is not monitoring, intercepting or storing any private-sector communications,” Lynn said. He stressed that the focus is on helping private companies deal with threats, not with the DOD doing any monitoring. Lynn noted that even in its initial form, the DIB Cyber Pilot has already stopped a series of intrusions, and has provided critical information on the techniques the cyber-attackers used.
Cyber-Defenses Wont Compromise Privacy
In his speech, Lynn is, in effect, acknowledging that the DOD and the country’s top cyber cop, the National Security Agency, can’t possibly monitor all the traffic that passes through networks in the U.S., but that it can watch for patterns of activities that can signal cyber-attacks. By analyzing these attacks, the company being attacked can, not only prevent the attack from proceeding, but it can also prevent future attacks.
While it’s not clear just how widespread the DIB Cyber Pilot program is, certainly, it’s already in use and meeting with some success. It’s also clearly not intended (or even able) to monitor individual communications. This, of course, makes a great deal of sense. Preventing an area-wide power-grid collapse, preventing interference with rail transportation or air-traffic control involves no personal data at all. But such an attack could cripple the U.S.
Perhaps you remember early in the summer of 2011 when the computer booking systems at two major airlines went offline and created chaos for days for travelers around the world. While there’s no public indication that these computer outages were the work of cyber-attackers, think of what might happen if attackers were to take out the operations systems of several major airlines.
Or think what might happen if someone took out the air-traffic control system in the U.S. The entire civil aviation industry in the U.S. would be grounded, and even military flights (which depend on civilian controllers on most cases) would be seriously compromised.
A similar attack on the computerized control centers for major railroads would stall freight delivery across the U.S. An attack on the power-grid control systems could cause broad regional power outages. Pair these with some other type of attack, and these systems could be down for many hours or days. What’s worse is that the computer systems that manage power grids, railroad dispatching or airline bookings were never designed to withstand a cyber-attack. They’re only now being updated to include security in their designs.
The real concern shouldn’t be about an intrusion into private life by the military, but rather how your private life can be protected from cyber-attacks as it is from physical attacks. This is clearly a function for which the military is well suited, as is the NSA.