The Washington Post

U.S. cyber approach ‘too predictable’ for one top general

The nation’s second-ranking military official said Thursday that the U.S. approach to protecting its computer systems was “too predictable” and failed to penalize attackers, comments that preceded the release of a Pentagon cyber strategy that emphasized defense over retaliation.

“We’re on a path that is too predictable, way too predictable,” Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, told defense reporters Thursday. “It’s purely defensive. There is no penalty for attacking us now. We have to figure out a way to change that.”

Hours later, Deputy Defense Secretary William J. Lynn III presented a strategy whose thrust, he said, is defensive and focused on “denying the benefit of an attack.”

To illustrate the growing threat, Lynn disclosed that in March, the Defense Department discovered that a foreign intelligence service had hacked into a defense contractor’s system and stolen 24,000 computer files related to a weapons system under development, one of the largest known cyberattacks targeting the U.S. military.

Lynn did not name the contractor or the government behind the intrusion but said the Pentagon was reviewing whether the weapons system needed to be redesigned.

The Defense Department’s newly unveiled strategy relies on deploying sensors, software and special signatures, or lines of code, that detect and stop intrusions before they affect operations.

“If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place,” Lynn said.

Cartwright, in his remarks to defense reporters, suggested that stronger deterrents would be needed. “We are supposed to be offshore convincing people if they attack, it won’t be free,” he said, adding that adversaries should know that the United States has “the capability and capacity to do something about it.”

Cartwright, who appeared with Lynn at a news conference after the strategy rollout, described the cyber plan as a first step. “This starts us down the path of building out both our defenses and our awareness skills,” he said. Eventually, he added, more aggressive cyber tactics, as well as legal and diplomatic measures, would be needed to “raise the price” of attacking.

Over the past year, President Obama had asked Cartwright several times whether he would be willing to become chairman of the Joint Chiefs of Staff, The Washington Post reported in May, but Obama later turned to another candidate. Cartwright is leaving office this summer.

Stewart A. Baker, a former National Security Agency general counsel, in a blog post likened the Pentagon’s new cyber plan to a nuclear deterrent strategy of building more fallout shelters. “This is at best a partial strategy,” he wrote. “The plan as described fails to engage on the hard issues, such as offense and attribution and, well, winning.”

Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, said that the plan was a good start but that key areas were missing. “What are acceptable red lines for actions in cyberspace? . . . Does data theft or disruption rise to the level of warfare, or do we have to see a physical event, such as an attack on our power grid, before we respond militarily?”

Lynn said that the United States has not yet been hit by an act of cyber war and that there was deterrent value in remaining ambiguous about what would constitute one. But ultimately, he said, it is the president and Congress that would decide that the human or economic damage is severe enough to consider a cyber event an act of war. He said the Pentagon would take the lead only if, in the “judgment of the leadership of the country, it required a military response.”

Cartwright, at the news conference, said the disabling of computerized patient records at a hospital such that the patients cannot be treated would be a violation of the law of armed conflict. “Then you have proportional responses” that can be undertaken, he said, without specifying which or by whom.

But when it comes to an act of war, he said, “it’s in the eye of the beholder.”

Staff writer Jason Ukman contributed to this report.

Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.

The Freddie Gray case

Please provide a valid email address.

You’re all set!

Campaign 2016 Email Updates

Please provide a valid email address.

You’re all set!

Get Zika news by email

Please provide a valid email address.

You’re all set!
Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.