The Defense Department lost 24,000 files to “foreign intruders” in the spring in what appears to be one of the most damaging cyberattacks to date on the U.S. military, a top Pentagon official acknowledged Thursday.
Deputy Defense Secretary William J. Lynn III, who disclosed the March breach during a speech to roll out the Pentagon’s new cyber strategy, said the files were taken from a defense contractor. He did not say who was believed to be behind the attack or describe the nature of the files that were stolen.
But Lynn said that, over the past few years, all manner of data has been stolen, some of it mundane, some of it concerning “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.”
“It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies,” Lynn said.
Last August, the Pentagon acknowledged for the first time that the U.S. military had suffered a major cyberattack in 2008 after malicious code was placed on a flash drive inserted into a U.S. military laptop. The code spread undetected on both classified and unclassified systems, “establishing what amounted to a digital beachhead,” Lynn wrote last year in an article for Foreign Affairs.
The Pentagon’s vast networks are believed to be the subject of malicious probing every day, but it is often difficult if not impossible to determine the identity of an attacker.
In a statement Thursday, Defense Secretary Leon Panetta said more than 60,000 “new malicious software programs or variations are identified every day threatening our security, our economy and our citizens.”
The Pentagon’s new cyber strategy is built in part on a belief that the Defense Department should “treat cyberspace as an operational domain to organize, train and equip” and that it should partner to some extent with the private sector, according to the announcement.
“Our strategy’s overriding emphasis is on denying the benefit of an attack,” Lynn said Thursday. “Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”