Lewis: Defense Department has role to play on cybersecurity

"Given the feeble state of U.S. cyberdefenses, an "Given the feeble state of U.S. cyberdefenses, an astute antagonist could use cyberattacks to disrupt critical services and information," writes James Andrew Lewis. Photo Credit: Donna Grethen / Tribune Media Services

advertisement | advertise on newsday

It was bound to happen. The Senate fumbles and the House proffers only magical solutions for cybersecurity. The task of improving cybersecurity reverts to the executive branch, but the Department of Homeland Security does not inspire confidence. So the Department of Defense is given a larger role in protecting cyberspace -- a responsibility that Defense Secretary Leon Panetta finally claimed in an important speech he delivered last week.

Panetta may have said that the Pentagon will only play a "supporting role," but make no mistake: The center of action just shifted.

Given the feeble state of U.S. cyberdefenses, an astute antagonist could use cyberattacks to disrupt critical services and information. An expanded role for the Defense Department makes sense when the United States is so vulnerable -- not only from sophisticated opponents but also from less advanced countries that may be more aggressive -- and less able to calculate risk.

But while a greater role for the Defense Department is a good idea, there are obvious problems. The department's National Security Agency, makes privacy advocates scream.

To intercept malicious traffic from opponents, you need to monitor all incoming traffic. Remember that we are ultimately talking about streams of ones and zeros, the code transferred among machines and only translated into human languages at the end. While it is possible to screen these ones and zeros to look for patterns that indicate an attack without ever looking at content, some doubt the NSA would be able to resist temptation. An expanded role for the Defense Department will require expanded privacy protections.

The Defense Department's new role also requires defining the space for action. Forget the dot-com mythology about cyberspace having no borders. Cyberspace depends on a physical infrastructure of computers and fiber, and this infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet "backbone." The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with. Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked.

But how far down the Internet's spine should the Defense Department go? Should it also monitor the networks of large corporations or Internet service providers? Should it be able to go onto consumer devices when they are infected? The precedent in the United States is for military or intelligence agencies to perform domestic security functions only in a crisis, not routinely.

advertisement | advertise on newsday

Panetta makes clear that the Defense Department does not envision playing this role. What he does envision is something that might be called pre-emption, using new rules of engagement for Cyber Command. The United States, using national technical means, often has advance knowledge of an opponent's plans, intentions and capabilities for cyberattack. Panetta seemed in his speech to say that when an attack appears imminent, the president can direct the Defense Department to strike first.

An active defensive role for the military is one of the three key elements needed for effective cybersecurity. The second is better protection for consumers. Last summer, the Federal Communications Commission began a program with major service providers to block or clean malware from their customers' computers.

The third missing piece in a comprehensive defense is protection of critical infrastructure. Panetta says members of President Barack Obama's administration "are considering" an executive order on cybersecurity. With a dysfunctional Congress, an executive order that mandates security at selected critical infrastructure may be the best the country can do. There are tensions within the Obama administration over Internet orthodoxies, but if the White House can manage to issue a credible order on critical infrastructure to complement protections from Internet service providers and a larger role for the Pentagon, it will have done much of what needs to be done to begin building an adequate cyberdefense.

James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. This is from Foreign Policy.

You also may be interested in: