The United States will leverage IT know-how among members of the National Guard and the nation’s military reserves by increasing the number of units that have dedicated cybermissions, U.S. Deputy Defense Secretary William Lynn announced Tuesday.
Government efforts alone can’t fend off cyberattackers, and stronger cooperation with the private sector is crucial, said Lynn, who was speaking at the RSA 2011 security conference in San Francisco.
To that end, the Department of Defense is strengthening ties with the private sector. This includes extending cybersecurity to selected networks, closer cooperation with telecommunications carriers and expansion of a program in which cybersecurity personnel are swapped between the government and the cybersecurity industry.
Lynn also announced that the DoD will spend US$500 million on research into encryption and other high-tech areas.
Chronicling the Cyberthreat
“In the cyber domain, soldiers are not the only ones on the front lines; scientists and innovators are there, too,” Lynn told his audience.
Cyberthreats continues to mature, beginning with exploitation of networks, then moving on to degradation of networks in attacks like the DDoS attacks against Estonia and Georgia in 2007 and 2008, respectively, as well as the hacker group Anonymous’ attacks against eBay and PayPal last December, Lynn stated.
The next phase in the evolution of cyberthreats is destruction, where online tools are used to cause actual physical damage, Lynn said. “When you look at the cybertools already available, it’s clear this threat already exists,” he added.
While it’s possible that destructive cyberattacks will never be launched, “few weapons in the history of warfare, once created, have gone unused,” he remarked.
The U.S. Defense Department has therefore adopted a new strategy that recognizes “we’re in the midst of this strategic shift in cyberthreat, moving up from exploitation to disruption and eventually destruction,” Lynn said.
The greatest danger comes from terrorist groups, which can create their own tools or purchase them.
“With few tangible assets to lose in a confrontation, terrorist groups are difficult to deter,” Lynn said. “We have to assume that, if they have the means to strike, they will do so.”
Hammering at the Hackers
The Defense Department has adopted a strategy dubbed “Cyber 3.0.” It has five pillars.
First, the military recognizes cyberspace as a sphere of operations. This means it needs to organize, train and equip forces to perform cybermissions — think of them as cybercommandos.
Second, the military has equipped its networks with active defenses.
Third, the Department of Homeland Security is working to ensure that the United States’ critical infrastructure is protected. Military cybercapabilities will be made available to the civilian authorities to protect civilian infrastructure.
Fourth, the U.S. is building cooperative defenses with its allies.
Fifth, it’s marshaling the nation’s technological and human resources to ensure it maintains its preeminence in cyberspace.
In addition, Lynn announced a program to increase the number of National Guard and armed forces reserve units that have a dedicated cybermission.
The DoD and Department of Homeland Security are also working with telecommunications providers, who have “unparalleled visibility into global networks,” Lynn said.
Lynn also announced the DoD’s plans to expand the information technology exchange program, under which cybersecurity personnel are exchanged between the government and industry.
Overkill Is a Myth
If anything, Lynn may be understating the problem the United States faces.
“We have wasted almost three decades with little thought given to secure computing,” Randy Abrams, director of technical education at ESET, told TechNewsWorld. “Functionality has always trumped security, and so a plethora of insecure products was created. We’re still repeating mistakes with things like smart meters lacking basic security protections,” he said, referring to electrical meters with advanced recording and reporting capabilities.
“We’re dealing with an infrastructure that wasn’t intended to support the level and complexity of traffic it serves today,” Charles King, principal at Pund-IT, told TechNewsWorld.
“Security professionals will continue to play catch-up until the infrastructure is replaced,” King added.
However, the infrastructure is only part of the problem; another part is that “creative individuals and groups will always be able to move more quickly than governmental agencies,” King said. “It’s in the nature of the beast.”
That lack of speed is one of the problems the government seeks to tackle with the establishment of cybercommandos and with stronger cooperation between the private and public structures.
“It takes the Pentagon 81 months to introduce a new system; the iPhone was developed in 24 months,” Lynn said. “That’s the same amount of time it takes for us to prepare and approve a new budget. We have to close this gap, and Silicon Valley can help us,” he added.