U.S. military wants to 'protect' key civilian networks

The Pentagon today elaborated on its plans to defend privately-owned Internet servers owned by banks, transportation and utility companies, and other key firms from electronic attacks, a proposal that has raised privacy concerns in the past.

"Our assessment is that cyberattacks will be a significant component of any future conflict, whether it involves major nations, rogue states, or terrorist groups," William Lynn, the deputy secretary of defense, said during a speech at the National Defense University in Washington, D.C.

To illustrate the sophistication of such attacks, Lynn said a foreign government was behind a cyberattack in March that led to 24,000 files being stolen from military computers. Virtual intruders have tried to extract files related to missile tracking systems, UAVs, and the Joint Strike Fighter, he said.

But the broader purpose of the speech was to downplay concerns that the Defense Department and the National Security Agency's cyberspace plans, which treat the Internet as the same kind of battlefield as air, ground, and the high seas, do not protect civil liberties or will be viewed as overly bellicose. Its delivery was delayed in part to address some of these concerns.

Lynn's response today:

Commentators have asked whether and how the U.S. would respond militarily to attacks on our networks. And this speculation has prompted concerns that cyberspace is at risk of being militarized--that a domain overwhelmingly used by civilians and for peaceful purposes could be fundamentally altered by the military's efforts to defend it. The concern here, as in other areas of our security, is that the measures put in place to prevent hostile actions will negate the very benefits of cyberspace we seek to protect.

We have designed our DoD Cyber Strategy to address this concern...This emphasis on cyberdefenses illustrates how we are both mindful of those who would do us harm using cyber means, but also committed to protecting the peaceful use of cyberspace. Far from "militarizing" cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes. Indeed, establishing robust cyberdefenses no more militarizes cyberspace than having a navy militarizes the ocean. This commitment to peace through preventive defense is at the heart of our DoD Cyber Strategy and the Administration's overall approach to cyberspace.

Lynn said that the DOD and DHS have created a pilot program called Defense Industrial Base Cyber Pilot, which shares classified information with defense contractors and their commercial Internet service providers.

"The U.S. government is not monitoring, intercepting, or storing any private sector communications" as part of the program, he said. "Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks."

This isn't exactly a new approach. In a speech at the RSA Conference in San Francisco in February, Lynn proposed extending "active defenses" to private networks, a concept he reiterated today.

What Lynn refers to as "active defenses" were pioneered by the National Security Agency. In an essay last year, Lynn likened them to a cross between a "sentry" and a "sharpshooter" that can also "hunt within" a network for malicious code or an intruder who managed to penetrate the network's perimeter.

But the power to monitor civilian networks for bad behavior includes the ability to monitor in general, and it was the NSA that also pioneered a controversial warrantless wiretapping program under the Bush administration. NSA director Keith Alexander was named head of the U.S. Cyber Command last year, an organizational restructuring that Lynn had championed.

The resolution of privacy concerns is likely to depend on the details, including whether the military merely provides recommendations to network operators in the private sector--or if it instead wants authority and oversight. Another open question is whether Web sites like Google.com and Hotmail.com could be considered "critical infrastructure," or the definition would be narrowed to facilities like power plants.