U.S. Cyberwar Plans Fail to Deter Attacks, Says VCJCS Gen. Cartwright
Today’s “Maginot Line” approach to cybersecurity encourages building bigger and better “firewalls,” he says. This creates lucrative work for government contractors, but is not a sustainable option. What is needed is a strategy to deter hackers by making it riskier for them to launch attacks, Cartwright tells reporters at a July 14 breakfast meeting.
Cartwright is about to wrap up his term as vice chairman. He is scheduled to leave office August 3, and will retire from the military in September.
Cyber defenses today keep the adversary at bay, but create the wrong incentives, he says. Cybersecurity companies such as “McAfee will build a better firewall,” but that entirely defensive posture is not going to win the fight, Cartwright contends. “We have spent 90 percent of the time focusing on building the next firewall, and only 10 percent on what we might do to keep them from attacking us.”
It has become a trope that it only takes a couple of hundred lines of code to write a virus, Cartwright notes. What is less known is that it takes millions of lines of code to fix a security patch in a computer network. “We’re on the wrong side of that equation,” he says. It costs the enemy pennies to perpetrate an attack, while the U.S. government is running up multimillion-dollar tabs every year. “We have to change that around,” he says.
The message the United States is sending to hackers is that “It’s OK to attack me and I’ll just improve my defenses every time you attack me,” Cartwright says. So far, it has been “very difficult to come up with a deterrence strategy.”
As the Pentagon unveils anew cybersecurity strategy — outlined in aJuly 14 speech by Deputy Defense Secretary William J. Lynn — many questions remain about the nation’s ability to cope with seemingly more sophisticated network intrusions. At the same time, the American public fears that the militarization of cyberspace could compromise civil liberties and rights to privacy.
“Far from ‘militarizing’ cyberspace,” Lynn states, the Pentagon will be seeking to “dissuade military actors from using cyberspace for hostile purposes.” In the strategy, the Defense Department mentions the introduction of new active cyber defenses, such as sensors, software and signatures to detect and stop malicious code. “A more secure and resilient Internet is in everyone's interest,” says Lynn. “We are now training our forces to thwart attacks that compromise our operations.”
The Pentagon’s strategy is not meant to be a call to arms, Cartwright insists. It simply articulates the Defense Department’s intent to work with the rest of the federal government, the private sector, and foreign allies, so that networks are better protected.
Cyberwarriors pay little attention to borders, he says. “You have to work with partners, look outward, we can’t do it as a single nation.”
The deterrence element of cybersecurity has been a long-debated issue within the government, and particularly at U.S. Cyber Command, the Pentagon’s newly created organization that increasingly is becoming the central player in U.S. cybersecurity efforts.
But despite an inflow of funds and expertise into Cyber Command, the Pentagon has not yet figured out how shift the balance from defense to offense. According to Cartwright, today’s efforts are “90 percent” defensive. In the future, he says, the Pentagon’s tactics should be 90 percent offensive. “We’re supposed to be convincing people that attacking us is not free.”
On the civilian side, a 50/50 balance would be preferable, he says.
“Right now we’re on a path that is too predictable … purely defensive, with no penalty for attacking. … At some point you have to change that.”
One of the obstacles to laying out concrete plans for defensive and offensive cyberwarfare is that much of the discussion is based on speculation, as no significant attacks have yet occurred.
“Trying to solve this in the abstract is difficult,” Cartwright says.
One of the immediate steps the Defense Department will take is working out a framework of rules with its contractors to ensure sensitive Pentagon data are secure. “Instead of working in the abstract, we’re sitting down and doing pilot programs with them … trying to understand how we can pair up with them, protect our secrets [even when] their business is broader than defense.”
The situation is comparable to what millions of people experience every day when they sign up for online banking. By surrendering a password to a financial institution, citizens voluntarily give up a fair amount of privacy in exchange for the convenience. A similar approach may be tried with defense contractors, says Cartwright. “If you want to do business in a particular area, you are going to give up a little of your rights to be better protected.”
For the Defense Department, which operates 15,000 networks, this is no small matter, Cartwright says. “Our networks are our lifeblood.” Without them, “We are back to yellow stickies, and things like that. We depend on networks to operate on a global scale.”