Twitter Facebook Google RSS
National Defense > Blog > Posts > U.S. Cyberwar Plans Fail to Deter Attacks, Says VCJCS Gen. Cartwright
U.S. Cyberwar Plans Fail to Deter Attacks, Says VCJCS Gen. Cartwright
The current methods for protecting U.S. information networks so far have been successful at warding off catastrophic cyber attacks. Over time, however, today’s tactics for defending computer systems will only invite more attacks, says Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff.

Today’s “Maginot Line” approach to cybersecurity encourages building bigger and better “firewalls,” he says. This creates lucrative work for government contractors, but is not a sustainable option. What is needed is a strategy to deter hackers by making it riskier for them to launch attacks, Cartwright tells reporters at a July 14 breakfast meeting.

Cartwright is about to wrap up his term as vice chairman. He is scheduled to leave office August 3, and will retire from the military in September.

Cyber defenses today keep the adversary at bay, but create the wrong incentives, he says. Cybersecurity companies such as “McAfee will build a better firewall,” but that entirely defensive posture is not going to win the fight, Cartwright contends. “We have spent 90 percent of the time focusing on building the next firewall, and only 10 percent on what we might do to keep them from attacking us.”

It has become a trope that it only takes a couple of hundred lines of code to write a virus, Cartwright notes. What is less known is that it takes millions of lines of code to fix a security patch in a computer network. “We’re on the wrong side of that equation,” he says. It costs the enemy pennies to perpetrate an attack, while the U.S. government is running up multimillion-dollar tabs every year. “We have to change that around,” he says.

The message the United States is sending to hackers is that “It’s OK to attack me and I’ll just improve my defenses every time you attack me,” Cartwright says. So far, it has been “very difficult to come up with a deterrence strategy.”

As the Pentagon unveils a new cybersecurity strategy — outlined in a July 14 speech by Deputy Defense Secretary William J. Lynn — many questions remain about the nation’s ability to cope with seemingly more sophisticated network intrusions. At the same time, the American public fears that the militarization of cyberspace could compromise civil liberties and rights to privacy.

“Far from ‘militarizing’ cyberspace,” Lynn states, the Pentagon will be seeking to “dissuade military actors from using cyberspace for hostile purposes.” In the strategy, the Defense Department mentions the introduction of new active cyber defenses, such as sensors, software and signatures to detect and stop malicious code. “A more secure and resilient Internet is in everyone's interest,” says Lynn. “We are now training our forces to thwart attacks that compromise our operations.”

The Pentagon’s strategy is not meant to be a call to arms, Cartwright insists. It simply articulates the Defense Department’s intent to work with the rest of the federal government, the private sector, and foreign allies, so that networks are better protected.

Cyberwarriors pay little attention to borders, he says. “You have to work with partners, look outward, we can’t do it as a single nation.”

The deterrence element of cybersecurity has been a long-debated issue within the government, and particularly at U.S. Cyber Command, the Pentagon’s newly created organization that increasingly is becoming the central player in U.S. cybersecurity efforts.

But despite an inflow of funds and expertise into Cyber Command, the Pentagon has not yet figured out how shift the balance from defense to offense. According to Cartwright, today’s efforts are “90 percent” defensive. In the future, he says, the Pentagon’s tactics should be 90 percent offensive. “We’re supposed to be convincing people that attacking us is not free.”

On the civilian side, a 50/50 balance would be preferable, he says.

“Right now we’re on a path that is too predictable … purely defensive, with no penalty for attacking. … At some point you have to change that.”

One of the obstacles to laying out concrete plans for defensive and offensive cyberwarfare is that much of the discussion is based on speculation, as no significant attacks have yet occurred.

“Trying to solve this in the abstract is difficult,” Cartwright says.

One of the immediate steps the Defense Department will take is working out a framework of rules with its contractors to ensure sensitive Pentagon data are secure. “Instead of working in the abstract, we’re sitting down and doing pilot programs with them … trying to understand how we can pair up with them, protect our secrets [even when] their business is broader than defense.”

The situation is comparable to what millions of people experience every day when they sign up for online banking. By surrendering a password to a financial institution, citizens voluntarily give up a fair amount of privacy in exchange for the convenience. A similar approach may be tried with defense contractors, says Cartwright. “If you want to do business in a particular area, you are going to give up a little of your rights to be better protected.”

For the Defense Department, which operates 15,000 networks, this is no small matter, Cartwright says. “Our networks are our lifeblood.” Without them, “We are back to yellow stickies, and things like that. We depend on networks to operate on a global scale.”


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Name: *

eMail *

Comment *



Name: *

eMail *

Comment *


Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *


Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.



Bookmark and Share