Adopting cybersecurity measures presents significant challenges for the Department of Defense, the government and for critical infrastructure, a senior DoD official said Tuesday.
Principal Deputy Assistant Secretary of Defense for Policy James N. Miller said the issue of cybersecurity has the attention of all defense leaders, and progress is being made. The confirmation of Army Lt. Gen. Keith Alexander to serve as the nation’s first head of U.S. Cyber Command is a positive step, he said.
Meanwhile, the government is working on a cybersecurity strategy that must be flexible to address the diverse and growing threats of the future, Miller said.
Adversaries are stealing terabytes of information from the government and DoD’s 15,000 networks, and DDoS attacks, viruses and worms also threaten the systems, he said. He estimated that more than 100 foreign intelligence services are trying to get into DoD systems, and said some foreign militaries are developing offensive cyber capabilities. Knowing who is delivering them is extremely difficult, and enemies will confront the United States using these cheap, asymmetric tools, Miller said.
“The linkages between intelligence, offense and defense are particularly important in cyber operations,” he said. “The ability to repel attackers is closely tied to the ability to identify them.”
Miller said a lot of basic work remains to be done in the cybersecurity effort, including determining when a cyber event becomes an attack covered by the law of armed conflict. He said there is a big difference between cyber espionage and acts meant to degrade U.S. networks or to input false data into those networks.
“There is no way we are going to fully defend against cyber espionage,” Miller said. “And we understand that not everything that happens in cyberspace is an act of war. As we think of the role of cyberspace in supporting military operations, and the role of cyber attacks as … the front-end of a kinetic military attack, then we would think about the potential for responses that are not limited to the cyber domain.”