By David Ignatius
WASHINGTON — With little fanfare, the Pentagon is putting the finishing touches on a new strategy that will treat cyberspace as a domain of potential warfare — and apply instant “active defense” to counter attacks that, in theory, could shut down the nation’s transportation and commerce.
Even though it deals with a distinctly 21st-century problem, the strategy has echoes of the Cold War: America’s closest allies would be drawn into an early-warning network of collective cybersecurity; private industry would be mobilized in a kind of civil defense against attackers; and military commanders would be given authority to respond automatically to electronic invaders.
In place of “massive retaliation” against attackers whose country of origin may be unclear, the strategy proposes an alternative concept of deterrence based on making America’s infrastructure robust and redundant enough to survive any attack. The Department of Homeland Security would oversee this hardening of infrastructure, with help from the National Security Agency.
William J. Lynn III, the deputy secretary of defense, explained the new approach, known as “Cyberstrategy 3.0” within the Pentagon, in an interview this week and in an article that appears in the new issue of Foreign Affairs. The formal policy should be completed by December, he said; meanwhile, the Pentagon’s new “Cyber Command” will have responsibility for “active defense” starting Oct. 1.
Lynn’s proposals are provocative. But the strategy could be costly and perhaps cumbersome, and it involves threats that aren’t well understood by the public — even by many of the companies that could be targets of attacks. So the first order of business should be more public information: Everyone needs to understand the risks of attack, and the costs and benefits of mobilizing against it.
Talking with Lynn, I was struck by the gap between the way defense experts see cyberspace — as a source of potentially crippling assault — and the public’s view of an Internet that is a generally benign companion. Although Lynn speaks of cyberspace as a “domain” that can be protected, such as airspace, it may be closer to the oxygen we breathe.
The Pentagon is already recruiting allies on cybersecurity. Lynn has shared ideas with America’s longtime partners on signals intelligence — Britain, Canada and Australia. He plans to meet with a wider circle of NATO allies next month. One topic will be surveillance against cyberattacks — a sort of Internet version of the old “DEW Line” radar network or the undersea listening devices that monitored Soviet submarines.
Lynn’s defense scheme would be “part sensor, part sentry, part sharpshooter.” The first two are noncontroversial, but I asked him what he meant by “sharpshooter.” He explained that if Cyber Command detected an incoming attack, it would instantly “quarantine the malicious code” by “diverting it into a place where it would be harmless.” The challenge, he said, was to stop the attack without doing “collateral damage” such as disrupting global commerce.
Lynn wouldn’t talk much about America’s own offensive weapons in cyberspace, except to say that “we have developed a wide range of capabilities.” The U.S. is probably more vulnerable to such attacks than other countries because our economy is more wired. But Lynn rejected the idea of banning cyberweapons, through a new version of arms control, because it would be so easy for others to cheat.
In cyberplanning, the phrase “military-industrial complex” has special resonance. Since at least 2007, the Pentagon has been informing defense contractors about hostile penetrations of their networks. This has evolved into the “Enduring Security Framework,” a partnership that includes CEOs of many of the big technology and defense companies. Lynn said the Pentagon is working with contractors to protect their systems from cyberattack.
An intriguing aspect of cyberstrategy is that it turns “globalization” inside out. A U.S. laptop-maker that once would have boasted that its components were assembled in 50 different countries must now worry about 50 points where an intruder could plant malicious code. The DOD calls this problem “supply chain vulnerability.” Lynn said he hopes companies will monitor their plants and suppliers to reduce the risk that products sent to the U.S. are contaminated, but he conceded that “you can’t build everything inside a fence.”
In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication. Of course we want to protect ourselves against threats. But as with human viruses, hostile computer bugs will evade our best efforts at quarantine. A new (and expensive) obsession with cybersecurity is not what this traumatized country needs.
David Ignatius is a Washington Post columnist. His e-mail address is firstname.lastname@example.org.