Amid budget cuts and growing cyber-tensions with China, a Pentagon advisory panel has recommended beefing up U.S. cyber-defenses while creating a new offensive cyberwarfare capability.
"The adversary is in our networks," warned the unclassified version of a Defense Science Board (DSB) report, Resilient Military Systems and the Advanced Cyber Threat.
The 18-month study warned that the U.S. IT infrastructure is ill-equipped to handle cyberattacks launched by "full spectrum" adversaries using cyber-capabilities, along with military and intelligence assets.
The task force recommended that the Department of Defense (DoD) take the lead by building "an effective response" to cyberattacks that would harden public and private IT systems from attack. It called for development of a "ladder of capabilities" to defend against known vulnerabilities -- up to and including a nuclear option -- as part of an American response. Arguing in favor of Cold War-era deterrence, the panel argued that such hardened systems would reduce would-be attackers' confidence in their ability to degrade military networks.
The report's attempt to link cyberwar with nuclear deterrence and Cold War struggles puzzled some analysts. While the DSB report highlighted the vulnerability of far-flung military networks with varying levels of security, references to the U.S. nuclear arsenal gave it an "other-worldly quality," said James Lewis, a cybersecurity specialist with Center for Strategic and International Studies.
"Would deterrence work in cyberwarfare?" Lewis asked.
The panel, made up of ex-DoD officials, industry executives and scientists, said its warnings were prompted by the alarming ease with which U.S. military networks have been penetrated, along with exercises in which so-called "Red Teams" have used widely available Internet tools to defeat DoD cyber-defenders.
The report also noted the "weak cyber-hygiene position of DoD networks and systems." One of the most egregious known breaches in 2008 involved leaving thumb drives scattered in a parking lot at the U.S. Central Command in Tampa, Fla. Investigators concluded that malware was introduced into DoD networks when at least one drive was picked up and plugged into DoD computers.
Military networks are increasingly vulnerable because they are "built on inherently insecure architectures," the report warned. Hence, its "dependence on this vulnerable technology is a magnet to U.S. opponents."
Along with upgrading defenses, the panel said DoD should develop an offensive cyber-capability, even though the rules of engagement for cyber-warfare are still being hotly debated. The U.S. Cyber Command should develop a war-gaming capability while recruiting offensive cyber-warriors, the DSB panel urged.
Former Defense Secretary Leon Panetta laid out the Pentagon’s cyber-strategy last fall, roughly three years after the formation of a U.S. Cyber Command headed by Gen. Keith Alexander, director of the National Security Agency.
"We won't succeed in preventing a cyberattack through improved defenses alone," Panetta said. "If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation…."
Conspicuously absent from the report were references to China despite recent reports of widespread hacking efforts thought to have been launched from within the People's Liberation Army.
Tom Donilon, President Obama's national security adviser, said Monday that "U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber-intrusions emanating from China on an unprecedented scale."
Donilon pressed Beijing in a speech before the Asia Society to acknowledge the threat and stop it, then worked with the U.S. to "establish acceptable norms of behavior in cyberspace."
Lewis, the analyst, said a possible "trigger" for the recent flurry of U.S. activity related to cybersecurity may stem from computer attacks thought to have originated last fall from Iran against banks and Saudi Arabia's national oil company, Aramco. "That worried people" in the government, Lewis said.
The DSB panel also proposed ways to measure progress in the unrelenting cat-and-mouse cyber-struggle. The metrics would be used to determine DoD's investment priorities.
Those priorities are under review in response to steep budget cuts known as sequestration, which took effect on March 1. Most DoD programs are facing across-the-board 8% budget cuts through Sept. 30, the end of the current fiscal year.
The "bottom up" review will help determine Pentagon spending priorities for what is expected to be a new era of austerity after a doubling of the U.S. national security budget over the last decade. Along with a reduced spending for IT, mandatory budget cuts are expected to result in furloughs of contractors working for the U.S. Cyber Command.