Langevin on DOD's New Cybersecurity Plans

The US Department of Defense released the beginnings of a new cybersecurity policy yesterday. The aim, as Deputy Defense Secretary William J. Lynn III said, is to deny hackers "the benefit of an attack" - to quickly neutralize the assault and identify the attacker. Identifying hackers is one of the most confounding challenges in cybersecurity.

But before the release yesterday, General James Cartwright, vice chairman of the Joint Chiefs of Staff, was already suggesting that the plan was not enough; that the US government needs to demonstrate that it will inflict a "penalty" on those who would attack.

There were other critics, too. Among them: Stewart Baker, a former National Security Agency general counsel and Congressman James Langevin, a leading voice in Washington on the issue. From the Washington Post:

Stewart A. Baker, a former National Security Agency general counsel, in a blog post likened the Pentagon’s new cyber plan to a nuclear deterrent strategy of building more fallout shelters. “This is at best a partial strategy,” he wrote. “The plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning.”

Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, said that the plan was a good start but that key areas were missing. “What are acceptable red lines for actions in cyberspace? . . . Does data theft or disruption rise to the level of warfare, or do we have to see a physical event, such as an attack on our power grid, before we respond militarily?”

Lynn said that the United States has not yet been hit by an act of cyber war and that there was deterrent value in remaining ambiguous about what would constitute one. But ultimately, he said, it is the president and Congress that would decide that the human or economic damage is severe enough to consider a cyber event an act of war. He said the Pentagon would take the lead only if, in the “judgment of the leadership of the country, it required a military response.”

This question of what constitutes an act of war in cyberspace - and what the appropriate response might be - is another of the many thorny cybersecurity issues Washington must work through. Indeed, it may be the most important.

While much of the rhetoric around cybersecurity is focused on the potential for a spectacular assault - plunging the East Coast into darkness, for instance - the real threat, now and for the foreseeable future, is the theft of corporate and national security secrets.

It's happening in spades - Lynn disclosed yesterday that a foreign intelligence service hacked a US defense contractor in March and stolen 24,000 computer files on a weapons system under development. How to respond? Perhaps the answer will come in the second installment of DOD's evolving plan.

| More

 Friends' Activity   Popular 
All Blogs
Follow the Phoenix
  • newsletter
  • twitter
  • facebook
  • youtube
  • rss
Latest Comments
Search Blogs
Not For Nothing Archives