The Pentagon hammered home its new cyber policy Thursday by revealing a large, previously secret electronic attack on a U.S. defense contractor.
"In a single intrusion this March, 24,000 files were taken," Deputy Defense Secretary William Lynn said at the release of an unclassified version of the new strategy to defend the U.S. military networks and critical national infrastructure.
"It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies," Lynn said, adding that the March attack was the latest in a series of escalating attacks over the past five or six years.
He carefully avoided specifics of the March attack and would not reveal which company was hit - or which country was to blame. "It was large, it was done, we think, by a foreign intelligence service - a nation-state was behind it," Lynn, the number-two official at the Pentagon, said during a speech and questions at the National Defense University.
This "digital thievery," according to Lynn, is interested in the most advanced weapons in the U.S. arsenal. "Cyber exploitation being perpetrated against the defense industry cuts across a wide swath of crucial military hardware, extending from missile tracking systems and satellite navigation devices to UAVs (Unmanned aerial vehicles) and the Joint Strike Fighter," Lynn said.
The Pentagon carefully emphasized the defensive parts of its new strategy. "Our first goal is to prevent war," Lynn said.
But the new plan also makes clear that, if necessary, the United States will fight back. "The United States is prepared to defend itself," Lynn said. "Just as our military organizes to defend against hostile acts from land, air and sea, we must also be prepared to respond to hostile acts in cyberspace," he said. And that response could include what he called "a proportional and justified military response at the time and place of our choosing."
A central challenge is to identify if and when a cyber attack would constitute an act of war, to prompt military action. "An act of war, at the end of the day, is in the eyes of the beholder," Joint Chiefs Vice Chairman, General James Cartwright said at the same rollout of the cyber strategy.
In addition to reliance on civilian power, communications and other critical civilian infrastructure networks, the Pentagon has a huge amount of electronic gear to protect - 15,000 networks, and 7 million computers around the world. The WikiLeaks release of hundreds of thousands of military and diplomatic cables dramatically illustrated the inside-job vulnerability of Defense Department computers. And federal officials say that in 2008 a foreign intelligence agency penetrated its classified computer system.
Both Cartwright and Lynn stressed that there still is catching up to do as new technology and new vulnerabilities require new legislation and regulation.
And Lynn warned that threats will only worsen and become more sophisticated as rogue states and terrorists gain new cyber tools.
"The more malicious actors have not yet obtained the most harmful capabilities," Lynn said. "But this situation will not hold forever. There will eventually be a marriage of capability and intent, where those who mean us harm will gain the ability to launch damaging cyber attacks."