In an article (Defending a New Domain) published on 25 August by Foreign Affairs, Deputy Defense Secretary William J. Lynn III revealed that in 2008, a thumb drive with malicious code was introduced into a computer on a military base located somewhere in the Middle East. He asserts that this code was created by an unnamed foreign intelligence organization and this attack resulted in “the most significant breach of U.S. military computers ever.”
Of course, the level of damage to national security is only known to the US Military (the article is predictably vague). In an analysis of Secretary Lynn’s article, Noah Shachtman of Wired.com voiced understandable skepticism that the kind of code described would be capable of any true penetration of the military’s classified information networks. However, such a revelation by a high level Department of Defense official is significant, and the issues that are highlighted in his article should not be overlooked.
Firstly is the overt point that Lynn is quite clear about: the cyber threat to US security is as real as any of the more “traditional” threats, such as an enemy military or terrorism. The “U.S. military and civilian networks are probed thousands of times and scanned millions of times,” every day, Lynn warns.
This attack in 2008 is only the latest example of the cyber threat posed by rival nations against the United States. For example, every year the US-China Economic and Security Review Commission provides an assessment of the challenges posed by China. In 2009 the Commission issued its Capability of the People’s Republic of China toConduct Cyber Warfare and Computer Network Exploitation report, and determined that hacker activity out of China over the past several years has been so intense and so focused on U.S. and Western defense data that such activity would be “difficult at best without some type of state-sponsorship.”
Although the attack described in Defending a New Domain targeted military computers, the threat is just as real, and potentially more devastating, to critical civilian infrastructure. In an effort to formulate a coordinated defense against developing cyber threats, the Department of Homeland Defense (DHS) created the National Cyber Security Division. And even more recently, in 2010 the US Military activated its own US Cyber Command. However, this brings us to the second point that Secretary Lynn makes in his article. Although claiming some success in increasing cooperation between the military and DHS, “an enormous amount of foundational work remains…” Just as the US Intelligence Community has come under withering criticism that it is too large and too diffused, the various agencies that would prepare for a significant cyber attack do not appear mature enough to be very effective.
This realization that there remains a significant shortfall in U.S. cyberdefense coordination is one of the reasons that Secretary Lynn wrote his piece for Foreign Affairs. In their analysis of the attack, Wired.com asked Secretary Lynn why a foreign government would sponsor what should have been an insignificant cyber attack (see Wired.com’s article for the in depth analysis). The secretary responded that while the attack itself wasn’t necessarily the most sophisticated, the fact that it compromised as much as it did, and was so difficult to root out following its discovery highlights how much work is needed to develop a true national cyberdefense.
I believe it can be safely said that if the US Military found it difficult to combat a relatively simple hacking attack (the operation to counter and purge the malicious code reportedly took months to finish), then the readiness of the US, and our Allies is likely even more suspect. Some might criticize the Secretary for highlighting such a failure of our information security systems, but in this instance I believe the criticism would be misplaced. Our adversaries know too well our vulnerabilities…they exploit them daily, if the reports mentioned above are to be believed. So the “wake up call” of 2008 needs to be heard, and recognized for what it was. The United States and her Allies simply cannot wait until a catastrophic attack or a critical security breach occurs before we decide that we could have done more to defend ourselves.
Defending a New Domain The Pentagon’s Cyberstrategy By William J. Lynn III
Foreign Affairs September/October 2010
Lynn Outlines Cyber Threats, Defensive Measures
By Lisa Daniel
American Forces Press Service
Department of Defense
Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack (Updated)
By Noah Shachtman August 25, 2010 Wired.Com
Dept of Homeland Security National Cyber Security Division
Capability of the People’s Republic of China to
Conduct Cyber Warfare and Computer Network
The US-China Economic and Security Review Commission, 2009