"Because cyberspace is composed of many interwoven networks that perform many different functions, ensuring its peaceful use will require efforts on many fronts," deputy secretary of defense Bill Lynn said at Thursday's announcement of the strategy. "The men and women of the military, other government agencies, our allies, the private sector, and indeed, the citizens of cyberspace must all play a role."
On Thursday, Lynn detailed two previously unpublicized attacks. In one attack on a defense contractor in March, which the DOD has pegged a foreign intelligence service as the likely perpetrator, 24,000 files on a sensitive weapons system were stolen from a defense contractor's network. As a result of that attack, Lynn said, the DOD is investigating whether the system needs to be redesigned because its specs have been compromised. In another recent attack, the Web servers of the National Defense University were hijacked by "an unknown intruder."
While serious, these are only two items on a long list of recent attacks on the military, military partners, and critical infrastructure that supports military operations. Data stolen from security company RSA earlier this year was used to penetrate Lockheed Martin's networks, for example. The Pentagon's official credit union database was possibly exposed after being accessed by a PC weighed down by malware. Cyber intruders have also successfully attacked energy firms and large financial institutions in recent months, Lynn noted.
In response, the military has been working more closely with the private sector. Lynn highlighted the Defense Industrial Base Cyber Pilot, in which the DOD is working with a handful of defense contractors and Internet service providers to identify and stop attacks on their networks. The effort builds on a program started in 2007.
While the new pilot has only been up and running for a few months, Lynn said that it has already begun preventing intrusions for some of those companies involved. The DOD plans to end the pilot later this summer and then determine whether and how to expand the program to other defense contractors and possibly other critical infrastructure sectors.
Beyond defense contractors, numerous other non-military networks support important military functions, such as those that run and manage the power grid, transportation systems, and the financial sector. Ninety-nine percent of U.S. military electricity comes from civilian sources, for example, and 90% of U.S. military voice and Internet traffic travel over private networks. "To protect our military capability, we must work with the Department of Homeland Security and the private sector to protect the nation's critical infrastructure," Lynn said, adding that attacks on multiple critical infrastructure sectors could have a "devastating" impact on the U.S. military.
The military cyber strategy indicates that the DOD's efforts in collaboration with the private sector will continue to expand, reaching out eventually even to small and midsized businesses. "Success will require additional pilot programs, business models, and policy frameworks to foster public-private synergy," the strategy document says.
International partners also play a role, as the United States has been increasing cooperation with key allies including Australia, Canada, the United Kingdom, Japan, and allies in NATO. "Collective cyber defenses will help expand our awareness of malicious activity and speed our ability to defend against ongoing attacks," Lynn said. He added that, going forward, the United States would pursue "international norms" in cyberspace through vehicles like treaties.
What industry can teach government about IT innovation and efficiency. Also in the new, all-digital issue of InformationWeek Government: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)