The Pentagon released a long-promised cybersecurity plan Thursday [14 Jul 2011] that declares the Internet a domain of war but does not spell out how the U.S. military would use the Web for offensive strikes.<\/p>\n
The Defense Department\u2019s first-ever plan for cyberspace states that DOD will expand its ability to thwart attacks from other nations and groups, beef up its cybersecurity workforce and expand collaboration with the private sector.<\/p>\n
Like major corporations and the rest of the federal government, the military \u201cdepends on cyberspace to function,\u201d the DOD strategy states. The U.S. military uses cyberspace for everything from carrying out military operations to sharing intelligence data internally to managing personnel assignments.<\/p>\n
\u201cThe department and the nation have vulnerabilities in cyberspace,\u201d the document states. \u201cOur reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity.\u201d<\/p>\n
Other nations \u201care working to exploit DOD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DOD\u2019s information infrastructure,\u201d the plan states. \u201cMoreover, non-state actors increasingly threaten to penetrate and disrupt DOD networks and systems.\u201d<\/p>\n
Groups are capable of this largely because \u201csmall-scale technologies\u201d that have \u201can impact disproportionate to their size\u201d are relatively inexpensive and readily available.<\/p>\n
The Pentagon plans to focus heavily on three areas under the new strategy: The theft or exploitation of data, attempts to deny or disrupt access to U.S. military networks, and any attempts to \u201cdestroy or degrade networks or connected systems.\u201d<\/p>\n
Another problem highlighted in the strategy is a baked-in threat: \u201cThe majority of information technology products used in the United States are manufactured and assembled overseas.\u201d<\/p>\n
To address those issues, DOD revealed a multi-pronged approach.<\/p>\n
As expected and foreshadowed by Pentagon officials\u2019 comments in recent years, the plan etches in stone that cyberspace is now an \u201coperational domain\u201d just as land, air, sea and space have been for decades for the military.<\/p>\n
\u201cThis allows DOD to organize, train and equip for cyberspace\u201d as in those other areas, the plan states. It also notes the 2010 establishment of U.S. Cyber Command to oversee all DOD work in the cyberspace.<\/p>\n
By crafting a this strategy, \u201cthe Department of Defense is acknowledging what all observers of the IT revolution have known for years: cyberwar is already a reality,\u201d Lexington Institute analyst Daniel Goure, a former Army official, wrote recently.<\/p>\n
\u201cThe publication of the cyberwar strategy may also help jumpstart a long-postponed public debate over the nature of such a war and how it should be deterred, if possible, or fought if necessary,\u201d Goure wrote. \u201cThe last technology to revolutionize warfare to the same extent as IT is doing was that which led to the creation of nuclear weapons.\u201d<\/p>\n
The second leg of the plan is to employ new defensive ways of operating in cyberspace, first by enhancing the DOD\u2019s \u201ccyber hygiene.\u201d That term covers ensuring that data on military networks remains secure, using the Internet wisely and designing systems and networks to guard against cyberstrikes.<\/p>\n
The military will continue its \u201cactive cyber defense\u201d approach of \u201cusing sensors, software and intelligence to detect and stop malicious activity before it can affect DOD networks and systems.\u201d It also will look for new \u201capproaches and paradigms\u201d that will include \u201cdevelopment and integration \u2026 of mobile media and secure cloud computing.\u201d<\/p>\n
The plan devotes more than a page to mostly underscore efforts long under way to work with other government agencies and the private sector.<\/p>\n
Notably, it calls the Department of Homeland Security the lead for \u201cinteragency efforts to identify and mitigate cyber vulnerabilities in the nation\u2019s critical infrastructure.\u201d Some experts have warned against DOD overstepping on domestic cybersecurity.<\/p>\n
The Pentagon also announced a new pilot program with industry designed to encourage companies to \u201cvoluntarily [opt] into increased sharing of information about malicious or unauthorized cyber activity.\u201d<\/p>\n
The strategy calls for a larger DOD cybersecurity workforce.<\/p>\n
One challenge, Pentagon experts say, will be attracting top IT talent because the private sector can pay much larger salaries \u2014 especially in times of shrinking defense budgets. To that end, \u201cDOD will focus on the establishment of dynamic programs to attract talent early,\u201d the plan states.<\/p>\n
On IT acquisition, the plan lays out several changes, including: faster delivery of systems; moving to incremental development and upgrading instead of waiting to buy \u201clarge, complex systems\u201d; and improved security measures.<\/p>\n
Finally, the strategy states an intention to work more closely with \u201csmall- and medium-sized business\u201d and \u201centrepreneurs in Silicon Valley and other U.S. technology innovation hubs.\u201d<\/p>\n
The reaction from Capitol Hill in the immediate wake of the plan\u2019s unveiling was mostly muted. Cybersecurity is not a polarizing political issue in the way some defense issues are, like missile defense.<\/p>\n
Claude Chafin, a spokesman for House Armed Services Committee Chairman Buck McKeon (R-Calif.), called the strategy \u201cthe next step in an important national conversation on securing critical systems and information, one that the Armed Services Committee has been having for some time.\u201d<\/p>\n
That panel already has set up its own cybersecurity task force, which Chafin said would \u201cconsider this [DOD] plan in its sweeping review of America\u2019s ability to defend against cyber attacks.\u201d<\/p>\n
As the Pentagon tweaks its approaches to cybersecurity, Senate Armed Services Committee ranking member John McCain (R-Ariz.) on Wednesday wrote Senate leaders saying that chamber must as well. McCain asked Majority Leader Harry Reid (D-Nev.) and Minority Leader Mitch McConnell (R-Ky.) to establish a temporary Select Committee on Cyber Security and Electronic Intelligence Leaks.<\/p>\n
\u201cCybersecurity proposals have been put forth by numerous Senate committees, the White House and various government agencies; however, the Senate has yet to coalesce around one comprehensive proposal that adequately addresses the government-wide threats we face,\u201d McCain\u2019s office said in a statement. \u201cA select committee would be capable of drafting comprehensive cybersecurity legislation quickly without needing to work through numerous and in some cases competing committees of jurisdiction.\u201d<\/p>\n