Washington: One of the biggest attacks ever on American military networks occurred in March, when another country stole some 24,000 files from a U.S. defense company’s computers, Deputy Defense Bill Lynn said today.
While no one mentioned either China or Russia they would be top of the list for any such attack. Lynn disclosed the attack during a speech at the National Defense University when he unveiled the country’s first cyber security strategy.
Lynn said that the “strategy’s overriding emphasis is on denying the benefit of an attack. Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way.” That would certainly seem to imply that most of America’s cyber efforts are defensive, an approach that Marine Gen. James “Hoss” Cartwright said this morning was the wrong way to go.
“Right now, we are on a path that is too predictable,” he said before Lynn’s speech, noting there is “no penalty for an attack now.” Cartwright pointed to the fact that an attack can consist of only a few hundred lines of code, while a patch to prevent the attack can easily consist of several million lines of code. “We are on the bad side of a divergent threat.”
The U.S., Cartwright said, must shift from its current mix of focusing 90 percent of efforts on protection and 10 percent on deterrence to focusing 90 percent on deterrence and 10 percent on defense.
But Lynn offered a different argument. “Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place,” he said.
Among the efforts to make military networks more secure, Lynn highlighted greater cooperation with Australia, Canada, the United Kingdom, and NATO. And that net will spread wider in coming months, he said.
The Pentagon has poured “half a billion dollars in R&D funds to accelerate research on advanced defensive technologies.” The eventual goal: “a time when computers innately and automatically adapt to new threats. We hope for a world when we can not only transmit information in encrypted form, but also keep data encrypted as we perform regular computer operations. Having data encrypted 100% of the time would be a revolution in computer security, greatly enhancing our ability to operate in un-trusted environments,” he said.
Most of that would, of course, be performed by the cyber gurus at the National Security Agency, under Cyber Command.
The Pentagon earlier launched its Defense Industrial Base Cyber Pilot, where it shares classified threat intelligence with defense contractors or internet service providers and tells them how to defend their networks.