DOD in never-ending cyberwar

The pace and intensity of cyberattacks against Defense Department computers and networks has increased so much that the Pentagon now considers itself continually at war.

"Peace really does not exist in the Information Age," said Air Force Lt. Gen. Kenneth Minihan, director of the National Security Agency, which serves as the Pentagon's lead computer security agency. Minihan, testifying at a Senate hearing this month, said DOD's information technology infrastructure is under constant attack. "Attacks are occurring every day," he said.

Barry Collin, a senior researcher with the Institute for Security and Intelligence, said Minihan's comments were "powerful" and were designed to focus attention on the seriousness of cyberthreats to DOD. Collin agreed that DOD is in a perpetual cyberwar, pointing out that anyone with a computer "has a weapon.

"You don't need to buy an intercontinental ballistic missile" to mount crippling attacks in the Cyber Age, Collin said.

Shift in Attacks

Minihan said that not only has the number of cyberattacks increased, but the focus has shifted from "unstructured" probes by teenage hackers to "structured" attacks by more advanced and better-organized foes. Structured attacks, Minihan said, are so sophisticated that "we don't know to what degree" the United States is being attacked.

Minihan did not identify these more sophisticated adversaries, but Deputy Secretary of Defense John Hamre, speaking at the same hearing, said, "Cyberattacks could be state-sponsored attacks."

John Pike, an analyst with the Federation of American Scientists, said Minihan's appearance and his candid testimony, ties in with the Clinton administration's deepening concern over protection of critical infrastructures from cyberattacks. To date, Pike said, "I've not seen evidence of attacks by professional adversaries.... Seventeen-year-olds on too much Jolt cola? Yes, but not professionals.''

However, if NSA or top DOD officials have evidence of such attacks, Pike said, "it would bolster their case to sanitize a paragraph or two" before they give a public statement.

The chances are high that these attacks could shut down computers or cause other problems. Hamre said the United States "is now vulnerable to an electronic attack" against its critical computer-based infrastructure, including its "natural-gas and power systems, all controlled by computers where security was not designed in at the outset."

During an NSA exercise called "Eligible Receiver" last year that was staged to assess how well the computer systems that support the nation's infrastructure could resist cyberattacks, the DOD systems were proven "deeply vulnerable."

Hamre said the exercise and DOD evaluations of actual attacks have shown that "the country has a massive infrastructure [that is] not designed to resist attack." Hamre urged widespread use of encryption by the government and the private sector to defend vital U.S. networks. He also acknowledged that policy debates over privacy concerns have slowed down deployment of encryption systems.

The United States needs to establish "home-line defenses'' against cyberattacks, Hamre said, and in DOD, "everyone, from the highest levels of senior management to the soldiers and office workers, must understand that each is a stakeholder in the vitality and security of our information systems." DOD "is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality and nonrepudiation of its information and the protection of its information infrastructure."