The military needs to better define the boundaries of cyberwarfare to allow cyber forces to go beyond defending computers and networks against numerous attacks, the vice chairman of the Joint Chiefs of Staff said on Thursday.
Marine Corps Gen. James Cartwright said in a speech that “we have an entire architecture globally that is based on defense only, point defense only.”
“Our defense is our virus protection software and our firewall. So if you are in uniform, what you’ve basically said is, ‘I want to have this fight at my boundaries, inside my country, and I am willing to wait for that and when it gets catastrophic, we’ll address it.’ ”
The general did not advocate conducting offensive cyberwarfare retaliation against foreign or domestic attacks. However, the newly-created U.S. Cyber Command combines both offensive and defensive cyber operations under one military unit.
Currently, military doctrine is unclear on what constitutes a computer or cyber-attack and what the consequences would be for countries or people who launched one on U.S. critical infrastructure. Branches of the armed forces, and in particular the Air Force, have conducted defensive and offensive actions in the realm of electronic or cyberwarfare. Individual branches of the armed services have developed their own cyberwarfare doctrine.
Gen. Cartwright said he supports the idea of cutting wasteful defense programs.
He also said he expects the current war against al Qaeda and Islamic extremism will last another five to 10 years.
The remarks on cyberwar sounded an alarm on the need for better doctrine.
The general compared the current lack of a doctrine on cyberwarfare to the Maginot Line, the concrete fortifications and stationary guns the French erected in World War II that failed to repel the Nazi tank blitz in the German invasion of France.
“Do you believe this network environment we are living in is going to persist for years to come?,” he asked “If you believe those things, then we have to start thinking about the validity of a Maginot Line approach to cyber.”
The comments on cyberwarfare doctrine were made as the Senate approved by voice vote the promotion of Gen. Keith Alexander, currently director of the National Security Agency, as the first new four-star chief of U.S. Cyber Command, located near NSA headquarters at Fort Meade, Md.
In a speech this week to Ogilvy Public Relations group, James N. Miller, deputy undersecretary of defense for policy, said the Defense Department is currently drafting a new cyberwarfare doctrine. He suggested that the military could respond to a cyber-attack by using conventional armed forces.
Mr. Miller also said that the military has lost enough data to fill the Library of Congress many times over every year due to cyber-attacks.
“Our systems are probed thousands of times a day and scanned millions of times a day,” Mr. Miller said, according to the Reuters News Agency.
A U.S. defense contractor, who asked not to be named, said, “We are sitting on our hands waiting for someone to pick a fight with us. And guess what, they do it every day.”
Retired Air Force Chief of Staff Gen. Ron Fogleman, speaking on a panel on defense in space and cyberspace, said that in the electronic realm, “it is very useful that every now and then you take a shot across the bow.”
The military has said very little publicly about its offensive cyber operations.
According to U.S. officials, most modern militaries have both the ability to launch computer viruses or denial of service attacks.
However, because it is very difficult to trace the origins of such attacks most state-based cyber-attacks are still kept in secret. Military experts have said China, Russia, Iran and North Korea are among the states known to have military cyberwarfare programs.
John Rizzo, the recently retired CIA general counsel, said last week at a breakfast meeting of the American Bar Association that he was envious of the military’s legal authorities to conduct attacks on computer networks.
He compared the CIA’s cyber work to the military’s Title 10 authority to “prepare the battlefield” the legal framework for most Pentagon cyber-attacks.
“I have always been envious of my colleagues at the Department of Defense, under the rubric of Title 10, of preparing the battlefield, they have always been able to operate to my lights with a much wider degree of discretion and autonomy than we lawyers at CIA have had to operate under,” he said.