The U.S. Department of Defense released a comprehensive strategy Thursday aimed at hardening the nation’s computer systems from cyber attacks, starting by designating cyberspace as another “operational domain” that the military will be trained to defend.
“The cyber threats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,” said William Lynn, deputy secretary for defense, in a statement . “Our infrastructure, logistics network and business systems are heavily computerized. With 15,000 networks and more than seven million computing devices, the DoD continues to be a target in cyberspace for malicious activity.”
Altogether, the 19-page document, called the “Department of Defense Strategy for Operating in Cyberspace,” establishes that cyber space be a domain protected by the U.S. military in the same way it defends land, sea and air.
In general, the strategy calls for new ways to bolster defenses of critical cyber infrastructure, such as the computer networks of the U.S. military and defense contractors, while developing new weapons and methods to retaliate against U.S. adversaries launching cyber attacks.
The newly unveiled U.S. cybersecurity strategy follows after Lynn revealed that a “foreign intelligence service” had stolen 24,000 files from a defense contractor during a cyber attack in March. While officials have yet to disclose circumstances around the attack, Lynn said that a weapon system design might have to be reconfigured as a result of the breach that aimed to compromise intellectual property.
“It is critical to strengthen our cyber capabilities to address the cyber threats we’re facing,” said Leon Panetta, U.S. secretary of defense, in a statement. “I view this as an area in which we’re going to confront increasing threats in the future and thus we have to be better prepared to deal with the growing cyber challenges that will face the nation.”
The strategy also acknowledges that current cyber defenses are inadequate to protect critical U.S. infrastructure that operates crucial industries such as energy, banking and finance, transportation, communication and Defense Industrial Base.
"Our reliance on cyberspace stands in stark contrast to the inadequacy of our cyberseurity -- the security of the technologies that we use each day,” the document said.
In addition to combatting attacks executed by numerous external hacking groups, the cyber security strategy aims to identify and protect against hostile nation states intent on conducting cyber espionage activities.
“Today, many foreign nations are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD’s information infrastructure,” according to the document. “DoD networks are probed millions of times every day, and successful penetrations have led to the loss of thousands of files from U.S. networks and those of U.S. allies and industry partners.”
Altogether, the comprehensive strategy will address three types of cyber attacks: theft or exploitation of data; denial of service attacks that affect the operability of networks; and destructive action that threatens to “destroy and degrade networks or connected systems.”
Meanwhile, one security expert said the release of the U.S. cyber security plan indicates the growing and undeniable seriousness of cyber threats against the U.S. government as well as corporate enterprises and critical infrastructure.
“The U.S. government has drawn a line in the sand and is saying, 'Enough is enough,'” said Jason Clark, chief security officer for security firm Websense, in an e-mail. “All U.S. organizations need to take notice because the Pentagon’s announcement doesn’t just reflect attacks on our government -- it shows that cybercrime is serous and reaches deep into our economy and infrastructure.”