WASHINGTON (Reuters) - The Defense Department unveiled a new strategy for protecting military computer networks from hackers on Thursday, designating cyberspace as an “operational domain” U.S. forces will be trained to defend.
Deputy Defense Secretary William Lynn said the Pentagon wanted to avoid militarizing cyberspace, but aimed to secure strategic networks with the threat of retaliation, as well as by mounting a more robust defense.
“Our strategy’s overriding emphasis is on denying the benefit of an attack,” Lynn said in a speech at the National Defense University. “If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”
Identifying intruders and responding to serious cyber attacks are part of the strategy, he said. But the military now focuses its strongest deterrent on other nation states, not transnational groups.
“Terrorist groups and rogue states must be considered separately,” Lynn said.
“They have few or no assets to hold at risk and a greater willingness to provoke. They are thus harder to deter. If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation.”
Lynn said currently the most sophisticated attacks come from other nations. Nation states are the most sophisticated intruders at this point but can be deterred by the threat of military power, he said, whereas transnationational groups have less fear of military retaliation.
“There will eventually be a marriage of capability and intent, where those who mean us harm will gain the ability to launch damaging cyber attacks,” Lynn said. “We need to develop stronger defenses before this occurs.”
Protecting its systems has become increasingly critical and complicated for the Pentagon. Defense Department employees operate more than 15,000 computer networks and 7 million computers at hundreds of installations around the world. Defense Department networks are probed millions of times a day and penetrations have caused the loss of thousands of files.
$1 TRILLION IN ECONOMIC LOSSES
Lynn said in one intrusion in March, 24,000 files at a defense company were accessed, and over the past decade terabytes of data have been taken from military and defense company computers by foreign intruders.
He said a recent estimate pegged economic losses from cybertheft of intellectual property, loss of competitiveness and damage to defense industries at over $1 trillion.
The cybersecurity strategy calls for the Pentagon to treat cyberspace as an “operational domain” -- like air, land and sea -- where the military must organize, train and equip to take advantage of its full capabilities.
Lynn said as part of its active defenses, the Pentagon would introduce new operating concepts and capabilities on its networks, such as sensors, software and signatures to detect and stop malicious code before it affects U.S. operations.
General James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems.
“If your approach to the business is purely defensive in nature, that’s the Maginot line approach,” he said, referring to the French fixed defensive fortifications that were circumvented by the Nazis at the outset of World War Two.
“If it’s OK to attack me and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy,” he said.
Cartwright said most viruses are only a couple hundred lines of computer code, but the patches to fix the holes they exploit can run into millions of lines of code.
“Every time somebody spends a couple hundred dollars to build a virus, we’ve got to spend millions. So we’re on the wrong side of that. We’ve got to change that around,” he said.
He said part of the answer was in building up the military’s offensive response capabilities.
“How do you build something that convinces a hacker that doing this is going to be costing them and if he’s going to do it, he better be willing to pay the price and the price is going to escalate, rather than his price stays the same and ours escalates,” Cartwright said.
“We’ve got to change the calculus.”
Editing by Todd Eastham
Our Standards: The Thomson Reuters Trust Principles.