By Emelie Rutherford
The Pentagon’s number-two officer said last week the military must treat cyber security as a weapon system and weigh hard decisions when boosting cyber-warfare efforts, including the extent to which it reorients traditional squadrons and protects commercial networks.
Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said cyber security for U.S. government and businesses is a “critical, vital, national interest,” though he said inadequate resources are devoted to it.
“The number of people we (in the Pentagon) have trained, our real expertise in this area does not have the scale that we need,” Cartwright told public and private-sector participants in a cyber-security wargame in Washington.
“We (in the Department of Defense) just patted ourselves on the back because we’re working through training 1,000 new people a year; that’s about a third of where we really need to be in this environment; that’s the scale that we’re trying to work to,” he said, noting that boosting Pentagon cyber-efforts to that scale won’t be easy.
“Imagine a service, you pick, Marine Corps, Air Force; let’s look at the F-16, F-18 (jet fighter) squadron you’re going to shut down because you are going to convert those people to cyber,” Cartwright added. “Those are the decisions that we’re trying to work our way through.”
For the Pentagon, cyber security is and must be handled as a weapon system, he said.
Because of “the discipline that we demand to operate in this environment, the standards that will be necessary to operate in this environment, we have to treat it as a weapon system,” Cartwright said.
The four-star general who holds great sway over Department of Defense investments declared during a speech last Wednesday night that cyber security is a “passion” of his. He has a blog of his own, and said senior military officers must develop a stronger understanding of the Internet realm.
The government and the private sector can cooperate to protect computer networks from attacks through “layering,” he said.
“The construct that we are trying to put in place, which would fit with other constructs within the government, is: At the core we have the most protected, the most resilient, the most capable networks, and then work their way out,” he said.
Yet, he acknowledged, “because we’re treating it as a weapon system, because we are the Department of Defense, there is a certain intrusiveness that we can have that…the rest of the government and the civil sector cannot. We can basically tell people, check your rights at the door, you’re in the military and everything that you do has with it no expectation of privacy. That generally is a difficult sell in the public sector, to say the least.”
Thus, Cartwright said, because the Pentagon “can do things there that others can’t…then we can move out to dot gov, and we can start to work in dot gov, and then out to dot com,” in a layered approach for increasing networks’ resilience and expectation of availability. All this must be done while being mindful of concerns about “intrusiveness” in the non-military realm, while also weighing cost-benefits, he said.
“This is a cultural issue,” Cartwright said. “You don’t want to have to go through a 9/11 (terrorist attack) to get the feeling that it’s important enough that the cost-benefit is moved in the right direction and you can now start to protect things that generally live out there in the dot-com domain. That is something that is very important to us, and we’re going to have to work our way through it.”
The general said a construct is not yet established to determine if a cyber attack by an adversary falls under the law of war or basic criminal law. A possible taxonomy could be created that says cyber invasions by hackers and industrial espionage fall under law enforcement’s purview, while military resources are used to counter cyber aggression from nation states, he said, adding that may not be the optimal setup.
For cyber-security-related research and development, Pentagon and civil-sector efforts must be joint, he said, without forcing private interests to give up their competitive edge.
He noted defense and industry researchers are not doing the same things, and that each side is more advanced in different areas.
“We have to get outside the box and find what is a relevant civil-government, private-sector-government relationship here that allows the nation to stay competitive in the decision cycles that are the reality of this networked world, allow the government to protect the commons, so that you can flourish out there and develop a competitive edge on a global scale, and finding interfaces between our nation and other nations, the private sector and the government, in a way that makes sense,” Cartwright said at the wargame. “And we haven’t found it yet.”
Yet the general said he believes “trying to hand-jam it into existing structures, existing boards, etcetera, is not going to work.”