Pentagon to treat cyberspace as "operational domain"

WASHINGTON Thu Jul 14, 2011 5:29pm EDT

Related Topics

WASHINGTON (Reuters) - The Defense Department unveiled a new strategy for protecting military computer networks from hackers on Thursday, designating cyberspace as an "operational domain" U.S. forces will be trained to defend.

Deputy Defense Secretary William Lynn said the Pentagon wanted to avoid militarizing cyberspace, but aimed to secure strategic networks with the threat of retaliation, as well as by mounting a more robust defense.

"Our strategy's overriding emphasis is on denying the benefit of an attack," Lynn said in a speech at the National Defense University. "If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place."

Identifying intruders and responding to serious cyber attacks are part of the strategy, he said. But the military now focuses its strongest deterrent on other nation states, not transnational groups.

"Terrorist groups and rogue states must be considered separately," Lynn said.

"They have few or no assets to hold at risk and a greater willingness to provoke. They are thus harder to deter. If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation."

Lynn said currently the most sophisticated attacks come from other nations. Nation states are the most sophisticated intruders at this point but can be deterred by the threat of military power, he said, whereas transnationational groups have less fear of military retaliation.

"There will eventually be a marriage of capability and intent, where those who mean us harm will gain the ability to launch damaging cyber attacks," Lynn said. "We need to develop stronger defenses before this occurs."

Protecting its systems has become increasingly critical and complicated for the Pentagon. Defense Department employees operate more than 15,000 computer networks and 7 million computers at hundreds of installations around the world. Defense Department networks are probed millions of times a day and penetrations have caused the loss of thousands of files.

$1 TRILLION IN ECONOMIC LOSSES

Lynn said in one intrusion in March, 24,000 files at a defense company were accessed, and over the past decade terabytes of data have been taken from military and defense company computers by foreign intruders.

He said a recent estimate pegged economic losses from cybertheft of intellectual property, loss of competitiveness and damage to defense industries at over $1 trillion.

The cybersecurity strategy calls for the Pentagon to treat cyberspace as an "operational domain" -- like air, land and sea -- where the military must organize, train and equip to take advantage of its full capabilities.

Lynn said as part of its active defenses, the Pentagon would introduce new operating concepts and capabilities on its networks, such as sensors, software and signatures to detect and stop malicious code before it affects U.S. operations.

General James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems.

"If your approach to the business is purely defensive in nature, that's the Maginot line approach," he said, referring to the French fixed defensive fortifications that were circumvented by the Nazis at the outset of World War Two.

"If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy," he said.

Cartwright said most viruses are only a couple hundred lines of computer code, but the patches to fix the holes they exploit can run into millions of lines of code.

"Every time somebody spends a couple hundred dollars to build a virus, we've got to spend millions. So we're on the wrong side of that. We've got to change that around," he said.

He said part of the answer was in building up the military's offensive response capabilities.

"How do you build something that convinces a hacker that doing this is going to be costing them and if he's going to do it, he better be willing to pay the price and the price is going to escalate, rather than his price stays the same and ours escalates," Cartwright said.

"We've got to change the calculus."

(Editing by Todd Eastham)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (14)
swissmissled wrote:
Do not do online banking. Despite what the banks maintain, many people have been cleaned out of millions of dollars and are not protected by the banks regardless of their promises. Online banking, according to many banking experts who choose to remain anonymous, is like playing Russian Roulette. Terrorists know how easy this is and have no qualms about using this tactic.

Jul 14, 2011 2:47pm EDT  --  Report as abuse
stevestutz wrote:
Seeing as the Chinese attack our government systems hundreds and thousands of times daily, and have been quite successful in the past, no one should spin this in any vaguely political as a invitation for “violation of our privacy”.

Cyberspace is a battlefield. Ground, Sea, Air, Space, Cyberspace.

Jul 14, 2011 2:49pm EDT  --  Report as abuse
Whatever we can do to allow the government to quickly hide the truth and lies that are sold to us by Obama and his followers… And then the awesome media can continue to sell these lies to the public! Obama and this government are such a huge joke it makes me laugh to simply read articles like this…

Jul 14, 2011 2:49pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.