Policies to deter cyberattacks and to protect U.S. computers from infected software are the subject of ongoing discussions taking place at the Pentagon and in Congress.
“We have lots of decisions to make in the cyber domain,” said Vice Adm. Carl Mauney, deputy commander for U.S. Strategic Command. “Our work is cut out for us,” he told representatives from the information technology industry last week at a conference hosted by the Armed Forces Communications and Electronics Association.
How to keep criminals from operating in cyberspace with impunity is the intent, officials said.
The federal government will practice its response to a large-scale cyberoffensive in September during Cyber Storm III, a simulated exercise that will target government computer networks and national infrastructure control systems.Hackers today can launch sophisticated cyberattacks with little chance of getting caught and even less chance of being punished, officials complained during panel discussions at the conference.
The risk involved with executing a complex attack is “less than or equal to zero,” said Bruce Held, intelligence and counterintelligence director at the Energy Department.
“A static cyberdefense can never win against an agile cyberoffense,” Held said.
“If you on the defense beat me 99 times, I will come at you 100. If you beat me 999 times, I will come at you 1,000. But I will beat you,” he said.
The United States must impose risk and consequences in cyberspace and work to secure the information technology supply chain, said Held, who used to work as a clandestine officer in the Central Intelligence Agency.In February, the Bipartisan Policy Center conducted CyberShockWave, a simulated act of cyberwar on the United States. The scenario consisted of a malware program being delivered to people’s phones through a popular “March Madness” basketball bracket application. The pretend attack cut service to more than 20 million smart phones and left the eastern seaboard without power. The exercise, broadcast on CNN, showed the country to be unprepared should a similar attack actually take place.
In July 2009, a serious of real-life cyberstrikes shut down government and media websites in South Korea and the United States. To date, no one knows exactly who orchestrated the barrage. And that’s one of the problems with trying to hand down punishments in cyberspace — many times, it’s virtually impossible to trace an action back to a specific computer.
Cyberattacks against networks in the United States often can be dealt with diplomatically, military leaders at last week’s conference said. They stopped short of discussing any offensive cyberoperations the recently launched Cyber Command might employ.
“We don’t need to know the specific computer [an attack] is coming from,” Held said, “but we do need to know what country it’s coming from.” The same goes for the hardware and software that the American government, companies and citizens use to conduct business and exchange sensitive information. “As a result of irreversible globalization in the economy, we are losing control of our software and hardware supply chain,” Held said.
Many products are bought not from the original manufacturers, but on the “gray” market, said Guy Copeland, who chairs the Cross-Sector Cybersecurity Working Group. Items bought on the cheap in this unauthorized manner avoid the normal testing and regulation. If the United States cannot manage a secure supply chain, it at least needs a more diverse one, Held said. Acquiring products from a variety of countries limits the possibility of becoming dependent on a nation that could become an adversary, he explained.
