Aug 02 2011

Behind the Strategy

There are more than 10,000 words in the "International Strategy for Cyberspace." Not one of them is "militarize." Yet that's the word that was heard round the world when the White House released the document in May.

The strategy lays out the values worth preserving on the Internet, the norms for responsible cyberbehavior and the steps the United States, along with its allies, will take to protect it. "It's what George H.W. Bush would have called 'the vision thing,' " says James Andrew Lewis, director and senior fellow at the Center for Strategic and International Studies.

Yet many focused on one section — one paragraph, in particular — toward the middle of the document. In essence, it states that the United States reserves the right to use military force to respond to hostile acts in cyberspace.

It's about defense, says Martin Libicki, senior management scientist at Rand and author of the 2007 book Conquest in Cyberspace: National Security and Information Warfare, but if it ever came to that, the military could shift into offensive operations. "Or we might choose to ignore it," he adds. "Let's say North Korea turned out the lights in the United States. Would we want to start a second Korean war over it? Think of it as a placeholder."

But other countries did not regard it as a placeholder, he explains. "They look at the document as an indication that we fully intend to militarize cyberspace."

So in July, Deputy Defense Secretary William J. Lynn, III confronted the issue while speaking at the National Defense University about the long-awaited "Department of Defense Strategy for Operating in Cyberspace."

The strategy, issued in July, focuses on improving the security of the Internet and the nation's critical infrastructure to deter would-be attackers. "Far from 'militarizing' cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes," Lynn said while introducing the strategy.

Much of it is not new. Lynn has been discussing the essential elements of the strategy since last fall. "However, the release of the strategy is an important milestone for the Defense Department," explains Lt. Col. April Cunningham, a DOD spokeswoman. "It is the first unified strategy for DOD's cyberspace operations. … It recognizes the opportunities and challenges that cyberspace presents and the need for DOD to organize, train, and equip for them."

The strategy outlines five strategic initiatives:

  1. Treat cyberspace as an operational domain. That means that the military will organize, train and equip forces (with U.S. Cyber Command leading the charge) to protect cyberspace, just as it does with land, air, sea and space.
  2. Introduce new concepts to protect DOD networks and systems, including improving cyberhygiene and employing active cyberdefenses. Protecting networks at the gateway isn't enough, Cunningham says. "To find intruders once they are inside, we have to be able to hunt within our own networks."
  3. Partner with other branches of the government and the private sector to protect the nation's critical infrastructure. Through such a partnership, DOD, the Homeland Security Department and the Defense Industrial Base (organizations that support the military, such as defense contractors) are piloting a program in which they share classified threat intelligence to improve defenses.
  4. Build relationships with U.S. allies to strengthen cybersecurity. This initiative outlines steps that DOD plans to take in line with the "International Strategy for Cyberspace."
  5. Leverage the nation's resources to improve the security of the Internet. As a recent example, Cunningham cites the Defense Advanced Research Projects Agency's national cybertraining range - "in effect, a model of the Internet." Once operational, it will let the military test capabilities before fielding them, just as other military units do. DOD is also challenging the scientific community to rethink the basis of network architecture - how to redesign or retrofit hardware, operating systems and computer languages with cybersecurity in mind.

"Our information technology infrastructure will not change overnight," Cunningham says. "But over the course of a generation, we have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today's technology."