The Pentagon is on the cusp of finalizing new rules of engagement for activities in the cyberdomain, including how to defend domestic networks and respond in the event of an attack.
Key to these new rules is the effect of new fielded technologies that are designed to help the Pentagon with the thorny problem of attributing cyber attacks. Defense Secretary Leon Panetta says that more than $3 billion is spent annually in cybersecurity. And, over the last two years, the Pentagon has “made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments,” he told an audience Oct. 11 hosted by the Business Executives for National Security in New York. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.”
The Pentagon has attributed “thousands” of low-level attacks, including those supported by nation states or criminals, according to defense officials. What they decline to discuss is how they react to clear attributions—whether they pass this information off to law enforcement or if, perhaps, there is clearance to engage attackers abroad.
Panetta notes that the capabilities of state-backed elements in countries such as Russia, China and Iran have increased. During his trip to China last month, Panetta implored senior defense officials to improve the transparency of activities and direct military-to-military engagements in the cyber domain.
Details of two recent cyber attacks also have been declassified. One, called “Shamoon,” infected more than 30,000 computers at Saudi Arabia’s state-owned Aramco oil company. A so-called wiper routine replaced actual files with an image of a burning U.S. flag, Panetta says. It also overwrote actual data on machines with useless files. Days later, a similar attack impacted Ras Gas of Qatar, a regional energy company.
Defense officials are hoping that a strong defense—potentially coupled with the ability to act preemptively—could deter potential aggressors from penetrating U.S. systems. Building this defense is the most immediate cyberfocus forchief Gen. William Shelton, though “not to the exclusion of offense,” he told an audience hosted by the Air Force Communications and Electronics Association Oct. 11.
Initially, defenses are passive, but Shelton says the goal is to move to a “proactive” model that includes continuous capabilities to monitor and react. This defensive strategy relies on robust intelligence collection in the cyber domain as well as situational awareness tools. Eventually, he hopes to establish a cyber command and control center as well as offensive capabilities, Shelton says.
Likewise, Shelton says the Air Force must stop applying its “industrial age” acquisition system to cyberprocurements, which much be deployed in a timely manner. “Hardware can become obsolete before the ink is dry on the check that paid for it,” he says. He is pushing for the development of a procurement system that can accommodate the short design cycles needed for cyberpurchase.
Panetta, meanwhile, supports the use of an executive order for legislation that is designed to help companies reduce their liabilities while sharing specific threat information with the government. Though the bipartisan Cybersecurity Act of 2012 was proposed to address this problem, it has languished amid congressional gridlock, Panetta says. “Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head. . . . This is unacceptable to me and it should be unacceptable to anyone concerned with safeguarding our national security.”