Defending a New Domain: The Pentagon's Cyberstrategy
William J. Lynn III, Deputy Secretary of Defense
In 2008, the
This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy.
Over the past ten years, the frequency and sophistication of intrusions into U.S. military networks have increased exponentially. Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times. And the 2008 intrusion that led to Operation Buckshot Yankee was not the only successful penetration. Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.
As the scale of cyberwarfare's threat to U.S. national security and the U.S. economy has come into view, the Pentagon has built layered and robust defenses around military networks and inaugurated the new U.S. Cyber Command to integrate cyberdefense operations across the military. The Pentagon is now working with the
THE THREAT ENVIRONMENT
Information technology enables almost everything the U.S. military does: logistical support and global command and control of forces, real-time provision of intelligence, and remote operations. Every one of these functions depends heavily on the military's global communications backbone, which consists of 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries. More than 90,000 people work full time to maintain it. In less than a generation, information technology in the military has evolved from an administrative tool for enhancing office productivity into a national strategic asset in its own right. The U.S. government's digital infrastructure now gives the United States critical advantages over any adversary, but its reliance on computer networks also potentially enables adversaries to gain valuable intelligence about U.S. capabilities and operations, to impede
First, cyberwarfare is asymmetric. The low cost of computing devices means that U.S. adversaries do not have to build expensive weapons, such as stealth fighters or aircraft carriers, to pose a significant threat to U.S. military capabilities. A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten
In cyberspace, the offense has the upper hand. The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons, the U.S. government's ability to defend its networks always lags behind its adversaries' ability to exploit U.S. networks' weaknesses. Adept programmers will find vulnerabilities and overcome security measures put in place to prevent intrusions. In an offense-dominant environment, a fortress mentality will not work. the United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun. Cyberwarfare is like maneuver warfare, in that speed and agility matter most. To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.
It must also recognize that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack's perpetrator. Whereas a missile comes with a return address, a computer virus generally does not. The forensic work necessary to identify an attacker may take months, if identification is possible at all. And even when the attacker is identified, if it is a nonstate actor, such as a terrorist group, it may have no assets against which the United States can retaliate. Furthermore, what constitutes an attack is not always clear. In fact, many of today's intrusions are closer to espionage than to acts of war. The deterrence equation is further muddled by the fact that cyberattacks often originate from co-opted servers in neutral countries and that responses to them could have unintended consequences.
Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation. The challenge is to make the defenses effective enough to deny an adversary the benefit of an attack despite the strength of offensive tools in cyberspace. (Traditional arms control regimes would likely fail to deter cyberattacks because of the challenges of attribution, which make verification of compliance almost impossible. If there are to be international norms of behavior in cyberspace, they may have to follow a different model, such as that of public health or law enforcement.)
Cyberthreats to U.S. national security are not limited to military targets. Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks that control critical civilian infrastructure. Computer-induced failures of U.S. power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption. Such infrastructure is also essential to the military, both abroad and at home: coordinating the deployment and resupply of U.S. troops and equipping troops with goods from private vendors necessarily requires using unclassified networks that are linked to the open Internet. Protecting those networks and the networks that undergird critical U.S. infrastructure must be part of
Modern information technology also increases the risk of industrial espionage and the theft of commercial information. Earlier this year,
Computer networks themselves are not the only vulnerability. Software and hardware are at risk of being tampered with even before they are linked together in an operational system. Rogue code, including so-called logic bombs, which cause sudden malfunctions, can be inserted into software as it is being developed. As for hardware, remotely operated "kill switches" and hidden "backdoors" can be written into the computer chips used by the military, allowing outside actors to manipulate the systems from afar. The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyberthreat. Tampering is almost impossible to detect and even harder to eradicate. Already, counterfeit hardware has been detected in systems that the
the United States rarely predicts accurately when and where military conflicts will occur. Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats. More important, given that information technology is evolving rapidly, policymakers are left with little historical precedent to inform their expectations. Thus, the U.S. government must be modest about its ability to know where and how this threat might mature; what it needs is a strategy that provides operational flexibility and capabilities that offer maximum adaptability.
As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it. To facilitate operations in cyberspace, the
Cyber Command has three missions. First, it leads the day-to-day protection of all defense networks and supports military and counterterrorism missions with operations in cyberspace. Second, it provides a clear and accountable way to marshal cyberwarfare resources from across the military. A single chain of command runs from the U.S. president to the secretary of defense to the commander of Strategic Command to the commander of Cyber Command and on to individual military units around the world. To ensure that considerations of cybersecurity are a regular part of training and equipping soldiers, Cyber Command oversees commands within each branch of the military, including the Army Forces Cyber Command, the
Cyber Command's third mission is to work with a variety of partners inside and outside the U.S. government. Representatives from the FBI, the
Given the dominance of offense in cyberspace, U.S. defenses need to be dynamic. Milliseconds can make a difference, so the U.S. military must respond to attacks as they happen or even before they arrive. To grapple with this, the Pentagon has deployed a system that includes three overlapping lines of defense. Two are based on commercial best practices -- ordinary computer hygiene, which keeps security software and firewalls up to date, and sensors, which detect and map intrusions. The third line of protection leverages government intelligence capabilities to provide highly specialized active defenses. And the government is deploying all these defenses in a way that meets its obligation to protect the civil liberties of U.S. citizens.
Because some intrusions will inevitably evade detection and not be caught at the boundary, U.S. cyberdefenses must be able to find intruders once they are inside. This requires being able to hunt within the military's own networks -- a task that is also part of the Pentagon's active defense capability.
Active defense has been made possible by consolidating the
The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy. Indeed, the effort to define clear rules of engagement for responding to cyberattacks has been exceedingly difficult, and for good reason. These rules of engagement will first have to assist in distinguishing between the exploits of a mere hacker, criminal activity (such as fraud or theft), espionage, and an attack on the United States. They will then have to determine what action is necessary, appropriate, proportional, and justified in each particular case based on the laws that govern action in times of war and peace.
The best-laid plans for defending military networks will matter little if civilian infrastructure -- which could be directly targeted in a military conflict or held hostage and used as a bargaining chip against the U.S. government -- is not secure.
The U.S. government has only just begun to broach the larger question of whether it is necessary and appropriate to use national resources, such as the defenses that now guard military networks, to protect civilian infrastructure. Policymakers need to consider, among other things, applying the
Given the global nature of the Internet, U.S. allies also play a critical role in cyberdefense. The more signatures of an attack one can see, and the more intrusions one can trace, the better one's defenses will be. In this way, the construct of shared warning -- a core Cold War doctrine -- applies to cyberspace. Just as
the United States enjoys unparalleled technological resources, and it can marshal its advantages to create superior military capabilities in cyberspace. The Pentagon has already begun to explore how major companies can help the public sector address the cyberthreat. Through a public-private partnership called the Enduring Security Framework, the chief executive officers and chief technology officers of major information technology and defense companies now meet regularly with top officials from the
The U.S. government's research and development institutions have also turned their attention to cybersecurity. One of the more important innovations to emerge is the
The government must also strengthen its human capital. The Pentagon has increased the number of its trained cybersecurity professionals and deepened their training. This includes a formal certification program that is graduating three times as many cybersecurity professionals annually as a few years ago. Following industry practices, the Pentagon's network administrators are now trained in "ethical hacking," which involves employing adversarial techniques against
Even as the U.S. government strengthens its cadre of cybersecurity professionals, it must recognize that long-term trends in human capital do not bode well. the United States has only 4.5 percent of the world's population, and over the next 20 years, many countries, including
Making use of the private sector's innovative capacity will also require dramatic improvements in the government's procedures for acquiring information technology. On average, it takes the Pentagon 81 months to make a new computer system operational after it is first funded. Taking into the account the growth of computing power suggested by Moore's law, this means that by the time systems are delivered, they are already at least four generations behind the state of the art. By comparison, the iPhone was developed in 24 months. That is less time than it would take the Pentagon to prepare a budget and receive congressional approval for it.
To replicate the dynamism of private industry, the Pentagon is developing a specific acquisition track for information technology. It is based on four principles. First, speed must be a critical priority. The Pentagon's acquisition process must match the technology development cycle. With information technology, this means cycles of 12 to 36 months, not seven or eight years. Second, the Pentagon must employ incremental development and testing rather than try to deploy large complex systems in one "big bang." Third, the U.S. military must be willing to sacrifice or defer some customization in order to achieve speedy incremental improvements. Fourth, the
ENTERING A NEW ERA
The daunting challenges of cybersecurity represent the beginning of a new technological age. In this early hour,
The cyberthreat does not involve the existential implications ushered in by the nuclear age, but there are important similarities. Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same. In the long run, hackers' systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy.
These risks are what is driving the Pentagon to forge a new strategy for cybersecurity. The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run
Available at Amazon.com:
Read the latest political news.
- Defending a New Domain: The Pentagon's Cyberstrategy
- Before Katrina, There Was New York's 1896 Heat Wave
- EPA Surrenders to NRA on Gun Control Issue
- Rare Sighting: Common Sense from the Bench
- Is the Great Mosque Debate Making Us Stupid?
- Ground Zero Mosque Madness
- Ground Zero Mosque: Islamophobia? Not Really
- Gingrich and Palin: Twin Towers of Intolerance
- Detroit's Agony, America's Choice
- Iraq: U.S. Combat Troops' Departure Leaves Uncertainty in its Wake
- Corporate Rotten Eggs
- Strengthening the Political - Military Relationship
- A New Plan For Nuclear Postures
- Why the National Security Establishment Is Outdated
- Protecting the Pentagon Budget
- Approving the New START Treaty Keeps America Safe
- The New START Treaty Weakens U.S. National Security
- 'Ground Zero Mosque' Controversy Shows America's New Nativism
- Ground Zero Mosque Presidential Paradox
- Lack of Foresight Let 'Ground Zero Mosque' Controversy Balloon
- Republicans Hit Obama for Ground Zero Mosque Comments
- Obama's Ground Zero Mosque Mess
- The Sum of Our Parts
- The End of Books
- Steven Slater Airline Meltdown Hardly a Surprise
- Conversation on Race? We're Not Ready
- Everyone a Bigot?
- Let's Preserve Freedom at Ground Zero
- 10 Things You Didn't Know About Social Security
- Illogical Immigration
- Constitutional Amendments and Citizenship Rights
- Iran - The Next War
- How to Maximize Your Social Security Benefits
- How Working Longer Helps Build Retirement Security
- Social Security Inflation Adjustment Debate
- 21 Ways to Make Extra Money in Retirement
- Will You Run Out of Money Before You Run Out of Years?
- The Economy's Lasting Impact on Your Retirement
- Unconventional Retirement Investing Strategies
- Another Retirement Challenge for Women: Income Gender Gap
- 15 Ways to Tell if You Are Ready to Retire
- Investing Your Social Security Check? Consider These Factors
- Alternatives to Traditional Retirement
- 10 Uncommon Sources of Income in Retirement
- Sizing Up Your Retirement Nest Egg Needs
- Biggest Sources of Retirement Income
- Assembling a Sturdy Retirement Portfolio
- Retirement Savings Strategies for Late Starters
- 7 Reasons to Downsize in Retirement
- How to Tell if You Are Saving Enough for Retirement
Defending a New Domain: The Pentagon's Cyberstrategy
(c) 2010 Foreign Affairs, September/October 2010