Hours later, Deputy Defense Secretary William J. Lynn III presented a strategy whose thrust, he said, is defensive and focused on “denying the benefit of an attack.”
To illustrate the growing threat, Lynn disclosed that in March, the Defense Department discovered that a foreign intelligence service had hacked into a defense contractor’s system and stolen 24,000 computer files related to a weapons system under development, one of the largest known cyberattacks targeting the U.S. military.
Lynn did not name the contractor or the government behind the intrusion but said the Pentagon was reviewing whether the weapons system needed to be redesigned.
The Defense Department’s newly unveiled strategy relies on deploying sensors, software and special signatures, or lines of code, that detect and stop intrusions before they affect operations.
“If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place,” Lynn said.
Cartwright, in his remarks to defense reporters, suggested that stronger deterrents would be needed. “We are supposed to be offshore convincing people if they attack, it won’t be free,” he said, adding that adversaries should know that the United States has “the capability and capacity to do something about it.”
Cartwright, who appeared with Lynn at a news conference after the strategy rollout, described the cyber plan as a first step. “This starts us down the path of building out both our defenses and our awareness skills,” he said. Eventually, he added, more aggressive cyber tactics, as well as legal and diplomatic measures, would be needed to “raise the price” of attacking.
Over the past year, President Obama had asked Cartwright several times whether he would be willing to become chairman of the Joint Chiefs of Staff, The Washington Post reported in May, but Obama later turned to another candidate. Cartwright is leaving office this summer.
Stewart A. Baker, a former National Security Agency general counsel, in a blog post likened the Pentagon’s new cyber plan to a nuclear deterrent strategy of building more fallout shelters. “This is at best a partial strategy,” he wrote. “The plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning.”
Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, said that the plan was a good start but that key areas were missing. “What are acceptable red lines for actions in cyberspace? . . . Does data theft or disruption rise to the level of warfare, or do we have to see a physical event, such as an attack on our power grid, before we respond militarily?”
Lynn said that the United States has not yet been hit by an act of cyber war and that there was deterrent value in remaining ambiguous about what would constitute one. But ultimately, he said, it is the president and Congress that would decide that the human or economic damage is severe enough to consider a cyber event an act of war. He said the Pentagon would take the lead only if, in the “judgment of the leadership of the country, it required a military response.”
Cartwright, at the news conference, said the disabling of computerized patient records at a hospital such that the patients cannot be treated would be a violation of the law of armed conflict. “Then you have proportional responses” that can be undertaken, he said, without specifying which or by whom.
But when it comes to an act of war, he said, “it’s in the eye of the beholder.”
Staff writer Jason Ukman contributed to this report.