WASHINGTON (AP) — Facing escalating risks of cyberattacks by hackers, criminals and other nations, the Pentagon is developing more resilient computer networks so the military can continue to operate if critical systems are breached or taken down.
In a broad new cybersecurity strategy to be released Thursday, the Defense Department lays out its vulnerabilities to attack from both outside and within its own workforce. Formally declaring cyberspace a new warfare domain, much like air, land and sea, the new strategy stresses the need for the military to continue to operate if its computer systems are attacked and degraded.
The Associated Press reviewed a draft copy of the 12-page unclassified summary of the strategy to be released by the Pentagon.
The strategy is the final step in the administration’s effort to map out how to handle the escalating threat of destructive cyberattacks, including potential assaults on critical infrastructure such as the electrical grid, financial networks or power plants.
Details about how the military would respond to a cyberattack or discussion of any offensive cyberspace operations by the United States are not included in the summary. That information is in classified documents and directives. The classified version of the Pentagon strategy is about 40 pages.
In an interview with a group of reporters Thursday before release of the document, Marine Gen. James E. Cartwright said the new strategy is focused on defending against attack, but he believes the U.S. government broadly and the Pentagon in particular need to develop offensive approaches that reduce incentives to attack U.S. computer systems.
Gen. Cartwright is vice chairman of the Joint Chiefs of Staff.
“If it’s OK to attack me and I’m not going to do anything other than improve my defenses every time you attack me, it’s difficult” to stop that cycle, Gen. Cartwright said.
He said the Pentagon currently focuses 90 percent of its cybersecurity effort on defense and 10 percent on offense. A better balance for the U.S. government as a whole would be 50-50, he said.
Earlier this year, President Obama signed executive orders that lay out how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage in other countries.
The orders detail when the military must seek presidential approval for a specific cyberattack on an enemy, defense officials and cybersecurity experts told the AP.
The orders and the new strategy cap a two-year Pentagon effort to draft U.S. rules of the road for cyberspace warfare, and come as the U.S. begins to work with allies on global ground rules.
Noting that Defense Department systems are vulnerable, the strategy says the Pentagon must develop resilient networks that can detect and fend off attacks. At the same time, the military must have multiple networks and be able to shift its operations from one system to another in order to keep operating while under assault.
That research is ongoing.
The strategy also warns that theft of intellectual property is the “most pervasive cyber threat.” And it calls for more significant efforts to ensure the integrity of the supply chain so that new software doesn’t arrive with vulnerabilities that allow hackers to infiltrate.
Associated Press national security writer Robert Burns contributed to this report.
Please read our comment policy before commenting.