DOD struggles to define cyber war
Efforts hampered by lack of agreement on meaning
As the Defense Department puts its new Cyber Command in place to defend the military information infrastructure, it also is wrestling with the nontechnical issues of defining cyber war and establishing a doctrine for cyber warfare, a top Pentagon cyber policy adviser said Wednesday.
James Miller, DOD principal deputy undersecretary for policy, pondered how the law of armed conflict applies to cyber war.
“It’s clear that it does," he said, speaking in an Ogilvy Exchange national security lecture in Washington, But the military still has to establish what an act of aggression or an act of war looks like in cyberspace and decide on the rules for responding — both digitally and physically — when the line between hacking and warfare is crossed, he said.
“We have a lot of efforts underway,” Miller said. “We are trying to bring all of this together into a coherent strategy” that will begin coming out in the next few months. He said there will not be a simple one-sentence definition of what constitutes cybe rwar, but that it will be an evolving concept based on history and on likely scenarios.
“It is clear there is a lot of cyber espionage where data is being pulled," Miller said. "But we understand that not everything that happens in cyberspace is an act of war.”
Miller reminded the audience of the usual statistics about the scope of the threat facing a net-centric DOD: 15,000 DOD networks with 7 million devices at 4,000 installations in 88 countries, all being scanned and probed millions of times a day. More than 100 foreign intelligence organizations are trying to access the systems and foreign militaries are developing the ability to attack and disrupt the systems that already are being penetrated by hackers and criminals.
“The cyber threat has outpaced our ability to defend against it,” he said. “We still are learning” the extent of our dependency on these networks and the scope of the threats against them. “We still see significant gaps and vulnerabilities. We don’t fully understand them, but we’re learning.”
The greatest threat to DOD systems so far has been the theft of sensitive data, he said. But the military also has to defend against disruption and degradation of the systems it is increasingly dependent on.
To date, defensive efforts have been spread between at least a half-dozen different organizations, including the Defense Information Systems Agency; the National Security Agency; and individual service commands in the Army, Air Force and Navy.
“We are spread too thin, geographically and institutionally,” Miller said. But that is changing with this week’s confirmation of NSA Director Keith Alexander, who was given a fourth star to also head the Cyber Command.
“We are headed into a new era,” Miller said. The new command will consolidate current resources, although each service will have primary responsibility for protecting its own networks. It will have three primary missions: defense of military networks, support of military and counterterrorism operations, and support of civilian agency and industry partners as needed.
How can we be at cyberwar if we don't know what it is?
Senate confirms NSA chief as head of Pentagon's new Cyber Command
“There are legal and policy questions we are attempting to address,” Miller said. “It’s not a bright red line. There are a lot of gray areas.”
Effective defense also requires integrating intelligence and offensive capabilities, because attacks and attackers must first be identified to defend against them, Miller said. This point was echoed by Navy Department Chief Information Officer Robert Carey, who said at a separate event Tuesday that DOD needed to build up its cyberattack skills.
“If you know how to attack, you can defend pretty well,” Carey said. “We currently are developing people only as defenders. That mindset has to change.”
Both Miller and Carey also said that simply throwing money at the cyber problems is not an option.
“We are not going to buy out way out of this challenge,” Miller said.
Carey and Miller also lamented the slow pace of the federal budget process. A sophisticated device -- Miller used the iPhone as an example -- can be developed in less time than it takes DOD to create a budget for an IT system.
Carey said that even with a $7.6 billion IT budget, the Navy’s cyber defense has to be cost-effective and make a business case for dollars. Tanks, airplanes and ships still play out better on than do Hill than cyber issues.
“Our cyber guys would love to have the money [currently] being spent on a destroyer,” Carey said. “But that’s not going to happen.”