The Defense Department and its partners at home and worldwide are much better prepared to deal with cyber attacks than they were in 2008, the DOD cyber policy director said yesterday.
Steve Schleien, principal director for cyber in the office of the undersecretary of defense for policy, spoke with American Forces Press Service and the Pentagon Channel during Cyber Security Awareness Month.
“We are much better prepared than we were in 2008 when Operation Buckshot Yankee occurred,” Schleien said, referring to the most significant breach ever of U.S. military computers.
That major compromise of DOD’s classified computer networks led to the 2009 creation of U.S. Cyber Command, part of the Strategic Command, to centralize cyberspace operations, organize cyber resources and synchronize the defense of U.S. military networks.
It also led to President Barack Obama’s May 16 launch of an international strategy for cyberspace and the Defense Department’s July 14 release of its related strategy for operating in cyberspace.
The DOD strategy outlined a new way forward for the department’s military, intelligence and business operations.
Cyber defense improvement, Schleien said, has come from “having the strategy in place, having the Cyber Command and the service cyber components taking a serious look at day-in, day-out coordination of cyber defenses, [and] the knowledge we have of what our adversaries are doing and how to deal with it.”
The department’s unclassified networks never will be perfectly safe, he added.
“We have to be able to operate with that in mind but we’ll work with the Department of Homeland Security, with our private-sector partners … and with our international partners [to] increase DOD cyber security, and hopefully do the same for our partners.”
One such effort is called the Defense Industrial Base, or DIB, Cyber Pilot, a program that helps certain industry companies protect defense-related information on their computer networks from the most serious intruders.
“First, we have a pre-existing cyber security and information assurance program with a small number of DIB companies to help us exchange network security information with them on an unclassified basis,” Schleien said.
“What we’ve done in this cyber pilot that finished up in September is to take a smaller set of DIB companies and try to bring classified signatures, or information that really is in the domain of the government and DOD, to help protect their networks from higher-level adversaries.”
The main part of the pilot was completed in September, he added, but DOD has extended it for 60 days to allow an independent evaluator to determine the program’s success. In that time, department officials will discuss the results with other federal partners.
DOD and DHS tightened their cyber collaboration in 2010 when the agencies signed an agreement to provide personnel, equipment and facilities in mutual support of strategic planning for cyber security, and to jointly develop capabilities and synchronize cyber mission activities.
“We’re using the DIB cyber pilot as a test case for how we can provide a higher level of cyber security to critical infrastructure sectors in the defense industrial base,” Schleien said.
“We are working the pilot hand in hand with DHS so that [they] can use any lessons learned with other critical infrastructure sectors,” he added, such as the electric grid or the national transportation system.
“We and DHS have committed to a very deep working relationship on cyber security [and] have created a joint element at Fort Meade [in Md.] to share a common operating picture, to work on operations views to make sure we understand what the other is doing and sharing techniques on how to deal with the cyber threat.”
DOD also works closely with international partners on cyber security strategy and operations, Schleien said.
One of the points made in Obama’s International Strategy for Cyberspace, he added, “was that if there’s a hostile act in cyberspace against the United States or one of our allies, we … will treat it as we would any other hostile act in one of the other domains.”
To prepare a coordinated response to future cyber attacks, DHS works with DOD and industry through the National Cyber Incident Response Plan, which provides protocols and procedures in the event of a cyber incident, Schleien said.
“We also exchange personnel at our operations centers,” he added, “to ensure that we have a common operating picture.”
In the case of an attack on the electric grid, for example, DHS would bring together senior officials to determine the best way to mitigate the attack, and determine which departments and agencies have the best tools for it.
The United States also would try to attribute the attack or incident to a specific adversary, Schleien said.
For computer attacks, attribution can be difficult, he added, but an interagency group with law enforcement authorities works together on such forensics.
For DOD, the Defense Cybercrime Center has “an outstanding cyber forensics capability,” Schleien said.
“The challenge of attribution is one that we are working on, but it is much different than what we’re familiar with in other domains,” he added.
U.S. policy holds that the Law of Armed Conflict applies to cyberspace, the principal director said.
This means that a response to any kind of hostile cyber act would have to be proportional to the attack, discriminating in terms of targeting lawful combatants, and necessary to accomplish a legitimate military objective.
“That will complicate our response action on making sure our response is consistent with the Law of Armed Conflict, he said, “ … and we will take that very seriously as we think about any response actions. But attribution is a challenge that we haven’t fully met yet.”
Schleien added, “We would do the best we can to give the president options.”