The Pentagon Defines Its Role in Cybersecurity
June 3, 2015 | 09:30 GMT
|
Analysis
Forecast
• Though the U.S. Department of Defense leads in understanding and exploiting cyberspace vulnerabilities abroad, it will struggle to defend the same vulnerabilities domestically without assistance from other agencies and the private sector.
• The Pentagon will continue to lack the visibility and organizational structure to defend the range of networks upon which it relies.
• Any efforts to expand U.S. law enforcement or military jurisdiction or authority over the Internet's infrastructure likely would face significant domestic opposition.
• The Defense Department has accepted that it must share the domain of cyber defense and thus will continue to work as a partner in defending U.S. economic interests that reside in cyberspace.
The
U.S. Department of Defense Cyber Strategy, a report released April 23,
highlights the government's efforts thus far in realizing its role in
cyberspace since the publication of its first formal strategy in 2011.
The United States already has clearly demonstrated its technological
edge in conducting espionage and sabotage online, as with the Stuxnet attack
against Iranian centrifuges in 2008. However, the U.S. military's
capabilities in the potential war-fighting domain of cyberspace do not
equal its land, sea and air dominance. The Pentagon's cyber strategy
focuses on this reality as much as it does on further incorporating
cyberspace capabilities into its military structure. While the
Department of Defense recognizes cyberspace as an operational domain, it
also recognizes that it must share this domain to safeguard U.S.
interests.
U.S. Cyber Capabilities
The
U.S. government, with the Department of Defense leading the way
principally through the National Security Agency, began developing and
employing offensive cyber capabilities — acts of espionage and
industrial sabotage — years before formally defining cyberspace as an
operational domain. The scope of past U.S. intelligence operations in
cyberspace was revealed by Edward Snowden's leaks
and the demonstrable efforts to sabotage Iran's nuclear program.
However, the Pentagon's capabilities do not safeguard its own
information technology infrastructure and have generally been
ineffective in defending U.S. interests in cyberspace.
To discourage cyber attacks, the U.S. government has used the threat of economic sanctions, criminal prosecution of foreign state officials, and the prospect of physical military action stemming from its 2011 declaration that cyber attacks constitute an act of war. Yet, aside from the prospect of physical military action or economic sanctions, the U.S. government still lacks any effective deterrence to cyber attacks. These breaches continually cause financial losses for the U.S. private sector, and state and non-state actors continue targeting government institutions. To defend (rather than engaging strictly in espionage) in cyberspace, the military must play an auxiliary role in a domain it must share with other government organizations and the private sector.
The private sector owns and operates roughly 90 percent of the physical infrastructure that constitutes the abstract world of cyberspace. Though the Pentagon has proven resourceful in researching and exploiting new vulnerabilities in cyberspace, it lacks the authority to ensure that U.S. interests are protected against such exploits. In other words, the United States' ability to conduct espionage and sabotage in cyberspace depends on the same types of vulnerabilities that threaten its own economic interests. To rectify this, the Pentagon's top priorities in developing its cyberspace strategy focus on defense — namely partnering with domestic government agencies and the private sector to ensure that U.S. interests are safeguarded from cyber attacks by foreign state and non-state actors.
Not all countries that employ offensive capabilities and espionage in cyber space — such as China, Russia, Iran or North Korea — face the same dynamics in defending their own information technology infrastructure. The Chinese government, for instance, maintains strict control over the network infrastructure and the information passing through it within its borders. This allows for much greater control over its security of the network technology, though it stems from China's particular concern for social control.
To discourage cyber attacks, the U.S. government has used the threat of economic sanctions, criminal prosecution of foreign state officials, and the prospect of physical military action stemming from its 2011 declaration that cyber attacks constitute an act of war. Yet, aside from the prospect of physical military action or economic sanctions, the U.S. government still lacks any effective deterrence to cyber attacks. These breaches continually cause financial losses for the U.S. private sector, and state and non-state actors continue targeting government institutions. To defend (rather than engaging strictly in espionage) in cyberspace, the military must play an auxiliary role in a domain it must share with other government organizations and the private sector.
The private sector owns and operates roughly 90 percent of the physical infrastructure that constitutes the abstract world of cyberspace. Though the Pentagon has proven resourceful in researching and exploiting new vulnerabilities in cyberspace, it lacks the authority to ensure that U.S. interests are protected against such exploits. In other words, the United States' ability to conduct espionage and sabotage in cyberspace depends on the same types of vulnerabilities that threaten its own economic interests. To rectify this, the Pentagon's top priorities in developing its cyberspace strategy focus on defense — namely partnering with domestic government agencies and the private sector to ensure that U.S. interests are safeguarded from cyber attacks by foreign state and non-state actors.
Not all countries that employ offensive capabilities and espionage in cyber space — such as China, Russia, Iran or North Korea — face the same dynamics in defending their own information technology infrastructure. The Chinese government, for instance, maintains strict control over the network infrastructure and the information passing through it within its borders. This allows for much greater control over its security of the network technology, though it stems from China's particular concern for social control.
The Pentagon's Limitations
Protecting
U.S. economic interests abroad has been one of the U.S. military's
tasks since its inception. However, defending commercial activity that
takes place on the Internet involves a different skill set and political
constraints than, say, safeguarding international sea lanes. Both the
U.S. military and law enforcement face a complex landscape in
cyberspace, where their jurisdictions are complicated by the global
nature of the Internet's infrastructure and the U.S. distinction between
private and public ownership. This situation is not likely to change
much, because any efforts to expand law enforcement or military
jurisdiction or authority likely would face significant opposition in
the United States.
This lack of authority over infrastructure is just one barrier for the military in dominating cyberspace. Though the Internet's inception was rooted in defense research and development, the increasing importance of the Internet to global commerce and the abstract landscape of cyberspace are shaped by both the private sector and popular use. In 2000, 400 million people were using the Internet; that number will grow to some 3.2 billion by the end of 2015. The very nature of the Internet — once a collection of a few networked computer terminals — has rapidly evolved to encompass nearly every facet of life through an increasing number of different devices that communicate over the global network as part of the Internet of Things. New technologies, and thus new vulnerabilities, are constantly emerging in cyberspace — innovations around which the Department of Defense must continually adapt.
By partnering with the private sector, the Department of Defense can help maintain stronger situational awareness of the ever-changing landscape. The Pentagon may lack the authority to enforce security compliance in the private sector, but it is in an advantageous position, particularly given the power of the intelligence community, to advise the private sector about the current technical vulnerabilities that permit cyber attacks. This kind of cooperation requires the will of individual actors in the private sector and large corporations that also often rely on overseas infrastructure, which can complicate partnerships. However, the Pentagon's own communications rely on numerous networks, many of which can fall victim to malware propagated on the Internet. In its latest cyber strategy report, the Department of Defense admits it lacks the "visibility and organizational structure" to defend such networks, furthering the need for partnerships in defending its cyberspace interests. The dynamics behind this need are not likely to change in the foreseeable future.
This lack of authority over infrastructure is just one barrier for the military in dominating cyberspace. Though the Internet's inception was rooted in defense research and development, the increasing importance of the Internet to global commerce and the abstract landscape of cyberspace are shaped by both the private sector and popular use. In 2000, 400 million people were using the Internet; that number will grow to some 3.2 billion by the end of 2015. The very nature of the Internet — once a collection of a few networked computer terminals — has rapidly evolved to encompass nearly every facet of life through an increasing number of different devices that communicate over the global network as part of the Internet of Things. New technologies, and thus new vulnerabilities, are constantly emerging in cyberspace — innovations around which the Department of Defense must continually adapt.
By partnering with the private sector, the Department of Defense can help maintain stronger situational awareness of the ever-changing landscape. The Pentagon may lack the authority to enforce security compliance in the private sector, but it is in an advantageous position, particularly given the power of the intelligence community, to advise the private sector about the current technical vulnerabilities that permit cyber attacks. This kind of cooperation requires the will of individual actors in the private sector and large corporations that also often rely on overseas infrastructure, which can complicate partnerships. However, the Pentagon's own communications rely on numerous networks, many of which can fall victim to malware propagated on the Internet. In its latest cyber strategy report, the Department of Defense admits it lacks the "visibility and organizational structure" to defend such networks, furthering the need for partnerships in defending its cyberspace interests. The dynamics behind this need are not likely to change in the foreseeable future.
The Challenging Nature of Cyber Attacks
In
cyberspace, attacks and espionage are conducted independent of
geographic range, and expenses are often negligent compared to physical
spying or acts of aggression. For example, a distributed denial of
service attack against a U.S. company relying on its Internet presence
for business can be organized by a small group of individuals at little expense,
particularly compared to the resources necessary to even investigate
the authorship of such an attack. The impact of cyber attacks is far
greater on developed countries with greater reliance on the Internet — a
fact that gives state actors in the developing world and non-state
actors a significant advantage. On Dec. 22, 2014, for example, an
unidentified actor isolated North Korea from the global network via the
country's weak link in China, possibly in retaliation for the 2014 cyber
attack on Sony Pictures Entertainment, which the U.S. government
publicly attributed to North Korea. Whether or not the incident was tied
to the Sony attack, the effect of isolating North Korea — which only
retains around 1,000 unique Internet Protocol addresses — was minimal.
The asymmetric nature of threats in cyberspace, including potential attacks by non-state actors, makes employing an effective deterrence more challenging for the Department of Defense. Economic sanctions and military responses are less useful against common threats from lone hackers, organized crime and activists. Even distinguishing attribution of a specific attack between state and non-state actors can be a daunting task. For example, though the U.S. government appears confident in blaming North Korea for the Sony hack, many cyber security analysts still question the validity of the accusations.
There is no doubt that the Pentagon has been aggressively seeking ways to improve its capabilities in cyberspace. Its latest cyber strategy report highlights how the Department of Defense wants to further integrate its growing capabilities within its traditional combatant command structure. As the U.S. military continues to embrace cyberspace as a domain, it will find that its traditional role in other operational areas does not necessarily translate to this new and increasingly critical territory. Thus, the military will share cyberspace defense duties with other government agencies and the private sector in an effort to protect U.S. economic interests and the military's own networks.
The asymmetric nature of threats in cyberspace, including potential attacks by non-state actors, makes employing an effective deterrence more challenging for the Department of Defense. Economic sanctions and military responses are less useful against common threats from lone hackers, organized crime and activists. Even distinguishing attribution of a specific attack between state and non-state actors can be a daunting task. For example, though the U.S. government appears confident in blaming North Korea for the Sony hack, many cyber security analysts still question the validity of the accusations.
There is no doubt that the Pentagon has been aggressively seeking ways to improve its capabilities in cyberspace. Its latest cyber strategy report highlights how the Department of Defense wants to further integrate its growing capabilities within its traditional combatant command structure. As the U.S. military continues to embrace cyberspace as a domain, it will find that its traditional role in other operational areas does not necessarily translate to this new and increasingly critical territory. Thus, the military will share cyberspace defense duties with other government agencies and the private sector in an effort to protect U.S. economic interests and the military's own networks.