Foreign spies broke into a U.S. defense contractor’s computer network and stole valuable weapons data, Pentagon officials disclosed for the first time on Thursday in releasing a cybersecurity strategy aimed at bolstering Internet defenses.
Deputy Defense Secretary William J. Lynn III declined to name the contractor or to provide further details of the intrusion in March, except to say that 24,000 files “related to [weapons] systems being developed for the Department of Defense” had been stolen.
“We think it was a foreign intelligence service,” he said, adding that such thefts were the most common forms of cyber-attack directed at the United States.
“The most prevalent cyberthreat to date has been exploitation — the theft of information and intellectual property from government and commercial networks,” he said in a speech at the National Defense University, calling such attacks “deeply corrosive in the long term.”
Thefts like those in March have bedeviled the defense industry for more than five years, said Mr. Lynn, adding that the information stolen in such computer break-ins related to “a wide swath of crucial military hardware, extending from missile tracking systems and satellite navigation devices to [unmanned aerial vehicles] and the Joint Strike Fighter.”
Defense contractor Lockheed Martin was hacked by suspected Chinese intruders several weeks ago, and Google and several other U.S. corporations have been victims of cyber-attacks. Computer security specialists say China and Russia have sophisticated computer warfare capabilities.
Mr. Lynn, who recently announced he is leaving the post after the arrival of Leon E. Panetta as secretary of defense, made the remarks in releasing an unclassified version of the Defense Department’s long-awaited “Strategy for Operating in Cyberspace.”
The strategy lays out the five pillars of the Pentagon’s approach to defending cyberspace and operating its networks during wartime. It was first enumerated by Mr. Lynn last year during a speech in which he called for developing more active cyberdefenses, working with the Department of Homeland Security and the private sector to protect U.S. critical infrastructure such as banks and power systems from cyber-attack, and working with allies to build cooperative cyberdefenses.
“Collective cyberdefenses will help expand our awareness of malicious activity and speed our ability to defend against ongoing attacks,” he said.
“The thrust of the strategy,” he told reporters afterward, “is to reinforce the defensive nature of our approach.”
The strategy says that by making cyber-attacks more difficult to carry out successfully, the Pentagon hopes to change U.S. enemies’ calculations about such actions. “If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place,” Mr. Lynn said.
He gave an example of a pilot project the Pentagon is running with a handful of defense companies to help them protect their computer networks by sharing classified information with them about the latest types of attacks and how to stop them.
But the defensive tenor of the strategy brought criticism from some commentators, who say the United States is too focused on defense and not enough on offense — working out how to use cyber-attacks against the nation’s enemies.
Earlier Thursday, Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, at a separate event, compared perimeter defenses in cyberspace to the infamous Maginot Line built by the French before World War II that German Panzers easily circumvented.
“We have spent 90 percent of the time focusing on building the next firewall, and only 10 percent on what we might do to keep them from attacking us,” Gen. Cartwright told a defense writers group.
After the launch of the strategy, former senior Homeland Security Department and National Security Agency official Stewart Baker told The Washington Times it was “not completely comforting.”
“It’s like hearing that our nuclear-war strategy is to build more fallout shelters,” he said. Current defenses, “even the ones we hope to have tomorrow, will not deter adversaries or deny them the benefits of an attack,” Mr. Baker said.
Mr. Lynn acknowledged that offensive cybertools were outpacing the best defenses, but said only nation states have the most effective weapons. Although it is often difficult to determine with certainty where cyber-attacks originate, he said, they could be deterred.
“U.S. military power offers a strong deterrent against overtly destructive attacks,” he said, “Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States.”
Terrorists and rogue nations that could not be deterred did not, at the moment, have the capability to launch such massively destructive attacks, he said. “There will eventually be a marriage of capability and intent,” and the country had “a window of opportunity — of uncertain length” in which to strengthen the nation’s cyberdefenses, he added.