The military’s new cyberstrategy is expected to be unveiled soon. It will not only lay out a comprehensive plan to secure military computers networks, but will also designate cyberspace as a battleground comparable to air, land, and sea.
The strategy’s contents were outlined by Deputy Secretary of Defense William Lynn last year, but little has been revealed since. It was announced in September 2009 just after Iran revealed its Bushehr nuclear power plant was hit by Stuxnet, a cyberweapon that was able to destroy several nuclear centrifuges.
Lynn stated that the Pentagon and Department of Homeland Security were developing an international cyberstrategy that would include “various initiatives to defend the United States in the digital age.” He stated that military and civilian networks are being probed “thousands of times and scanned millions of times,” each day, and “Adversaries have acquired thousands of files from U.S. networks” including weapons blueprints and operations plans.
He gave a clearer view of the strategy during an Oct. 1, 2009, Council on Foreign Relations (CFR) event. The strategy will include five pillars, including active cybersdefense, protection of critical infrastructure, and using “a Cold War concept” to share information with allies.
It is possible the strategy ties closely with what was announced at the NATO Lisbon Summit in December 2010, particularly the formation of coalitions mentioned by both Lynn and by NATO reports. Although details on both strategies remain vague, as they are still being developed, the outlines are similar.
The NATO strategy, likewise, will include “bringing all NATO bodies under centralized cyberprotection, and better integrating NATO cyber-awareness, warning, and response with member nations,” stated NATO Secretary-General Anders Fogh Rasmussen in a press release. It will also focus on protecting critical infrastructure.
The final U.S. strategy may be different from what was originally discussed, and the full breadth of what’s to come may or may not be completely revealed to the public. What is certain, however, is that cyberwarfare will play a major role in future military conflict, and the new strategy will be more of a trumpet ushering in a new era of warfare.
Even without a major, public strategy, the U.S. military has already taken a strong stance in the digital world. As far back as 1994, the United States was discussing cyberwarfare and cyberdefense in a conference on “information war,” according to John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, an independent research institute on cyber-attacks.
“The U.S. isn’t just entering the cyberwar arena, they’re just announcing their intentions publicly.” Bumgarner said in a phone interview.
Fundamental problems arise when discussing cyberwar, however, as it is far different from traditional warfare. In all other forms of war—whether by air, land, or sea—a country can tell if an attack is eminent. “But in cyberspace it’s difficult to see, just because of the way cyberspace is designed, an attacker until potentially it’s too late,” Bumgarner said.
Much of what is expected in cyberstrategy are things Bumgarner has discussed for years.
He stated that regarding the formation of international coalitions, the system will need to function similar to a “NORAD in cyberspace.” Members of the alliance will need to be able to pass information between one another in the case of a large cyber-attack. It will also need a component similar to a digital NATO to fend off adversaries.
“Eventually the U.N. is going to have to start thinking about how to deploy peacekeepers in cyberspace,” Bumgarner said. “DOD and NATO would have to have some sort of alliance strategy for cyberspace.”
The form of “active cyberdefense” briefly discussed by Lynn, will not be simple to create, but will be necessary in securing critical networks. According to Bumgarner, this will require what he describes as a “polymorphic cyberdefense ecosystem.” It would essentially be a network that could recognize attacks and change itself to defend against them.
The idea of protecting critical infrastructure is also no simple matter, since they are nonmilitary networks. This would include power systems, water supplies, and financial institutions.
Warfare is not limited to attacks on military targets, and just as critical infrastructure were targets of physical attacks during World War II, they are likely to be targets of cyber-attacks moving forward. A Chinese military document released in 1999, “Unrestricted Warfare,” described the Chinese regime’s military options of using cyber-attacks against U.S. critical infrastructure.
The report describes a plan allowing the Chinese regime to win an “informationized war” by the middle of the century.
Addressing cyberterrorism—the use of cyber-attacks by terrorist organizations—is also a rising threat that will need to be addressed in an upcoming strategy, according to Bumgarner.
The risk of cyberterrorism was described in a 2009 hearing on developing a cybersecurity national strategy by the Committee on Homeland Security and Governmental Affairs.
Committee Chairman Joseph Lieberman stated, “But here is my concern. If I were an enemy, either a state enemy or a non-state enemy, like a terrorist group wanting to do us harm, it seems to me one of the first most attractive ways to attack us would be a cyber-attack, both because of the difficulty of finding me, the enemy, but also of the tremendous damage I could do at this point in the status of our cyberdefenses.”
The hearing raised the question of “How do we best generate a strategy that deters terrorists and hostile nation states from executing cyber-attacks that potentially could devastate our critical infrastructure?” as was stated by Sen. Susan Collins.
Regardless of what is included in the final cyberstrategy, however, due to the nature of politics and the breadth of networks and countries it will likely include, it will be implemented over a long term.
“We’re not talking about something that’s going to happen tomorrow,” Bumgarner said.