DOD preps office for cyberdefense

The Defense Department plans to create a new military organization to spearhead DOD's effort to protect the nation's critical computer systems against information warfare attacks, marking the first time DOD has taken responsibility for protecting infrastructure within the United States.

Under the plan, which is now being finalized, DOD will establish a new organization under the assistant secretary of Defense for command, control, communications and intelligence, according to Deputy Secretary of Defense John J. Hamre, who spoke last month at the Defense Special Weapons Agency (DSWA) Annual International Conference on Controlling Arms. The announcement of the office comes at a time when DOD is planning the reorganization of the ASD/C3I office.

The new organization will oversee DOD's role in protecting the nation's critical information infrastructure, such as those computer systems that operate electric and natural-gas utilities, air traffic control, telecommunications and weapons systems.

Although DOD is responsible for defending against attacks to locks and dams in the United States, defense of all other infrastructure is the responsibility of national and local law enforcement agencies. "I believe that's an artificial distinction," Hamre told conference attendees. "Cyberspace doesn't know geographical boundaries."

DOD officials met this past weekend to discuss the new organization but declined to comment last week.

The Pentagon also is considering the formation of a reserve cadre of "cyberdefense warriors," who would have hands-on responsibility for protecting the nation's sensitive information networks and systems from information warfare attacks. According to an industry source familiar with the project, about 300 Ph.D.-carrying reservists would work from home computers that would be tied into high-speed communications links. DOD has budgeted $10 million to jump-start the effort, the source said.

Dan Kuehl, chairman of the Information Operations Department of the Information Resources Management College of the National Defense University, said, "There are no clear-cut answers" as to who should be responsible for domestic infrastructure protection. "It's a cooperative effort that requires a partnership between the private sector and DOD."

John Pike, a defense and intelligence analyst with the Federation of American Scientists, speculated that the new organization will be the DOD equivalent of the new Critical Infrastructure Assurance Office, which spearheads multiple-agency efforts to develop better policies, processes, procedures and systems to detect and deter attacks, or the National Infrastructure Protection Center, which tracks and analyzes electronic attacks. However, although DOD "has a lot of infrastructure that needs protecting," it is not clear exactly what the department will be doing, Pike said.

Martin Libicki, a senior fellow at the National Defense University who specializes in information warfare, said he is not sure what the department will be doing either. "[DOD] may be [planning to conduct] indications and warning [procedures], but I can't believe we have an I&W methodology in place yet," he said. "Weaknesses [in the network infrastructure] cannot be easily fixed by the federal government."

Hamre told conference attendees that DOD is considering several other IT initiatives to improve domestic defense.

This week officials also are meeting to discuss the eventual consolidation of several DOD organizations into the Defense Threat Reduction Agency, which will oversee domestic defense and the nonproliferation efforts aimed at nuclear, chemical and biological weapons.

According to Hamre, DTRA will take steps to develop modeling and simulation skills to make up for the lack of "intellectual infrastructure" available for biological and chemical threats. "Here, we seek the full panoply of capabilities," he said.

DTRA will comprise about 2,000 people from the On-Site Inspection Agency, the Defense Technology Security Administration, DSWA and various elements from the ASD for nuclear, biological and chemical (NBC) defense programs.

A spokesman for OSIA said the new organization is still in the conceptual stage. "We don't even have a position paper on this new office yet," according to the spokesman. However, the infrastructure is already in place, and plans call for the new agency to become operational Oct. 1.

In the next 16 to 18 months, DOD plans to fill out the "essential details" of assigning the United States to a military commander in chief, Hamre said. Such a move, mirroring how the Pentagon manages defense internationally, would be designed to increase the focus on domestic defense, including both cyber- and NBC defense.

The U.S. Atlantic Command, which recently was designated the executive agent for joint warfighting experimentation, is the logical place to assign responsibility for U.S. homeland cyber- and NBC defenses, Hamre said.

According to Pike, DOD's idea does not appear to be a well-thought-out plan, given all the policy and legal issues surrounding domestic cyber- and NBC defense. "I get nervous when you talk about the Atlantic Command having the same responsibility for Baltimore as it does for Cuba," he said. "Alarm bells should be going off all over the place."