Deputy Secretary of Defense William Lynn recently caused a stir in official Washington by publicly confirming that the Pentagon had suffered a massive computer breach in 2008. A foreign intelligence service successfully slipped an infected flash drive into a Central Command computer. The drive contained software that surreptitiously spread through both classified and unclassified government networks, establishing a "digital beachhead, from which data could be transferred to servers under foreign control." According to Lynn, "it was a network administrator's worst fear."
In addition to confirming the breach, Lynn previewed the Defense Department's cyber strategy, expected to be finalized by the end of the year. The strategy has several elements, including a defense in depth, with three layers: first, follow commercial best practices on security; second, deploy sensors, which map and detect intrusions; and, third, conduct "active defense." Lynn describes active defense as a system that automatically deploys defenses in real time based on intelligence warnings. According to Lynn, "part sensor, part sentry, part sharpshooter, these active defense systems represent a fundamental shift in the U.S. approach to network defense." This reference to "sharpshooters" raises questions, for it implies a more active role for the Defense Department.
Given the speed and range of cyber attacks, active defense depends on sophisticated rules of engagement, which must be set in advance. Lynn focuses on an attacker's motivation -- hacking, criminal, espionage or strategic -- to determine which body of law and regulation will govern a U.S. response. Although reading intent is not impossible, it is exceedingly difficult, perhaps more so given the difficulties associated with attributing an attack to any particular entity. (Indeed, Lynn dismisses retaliatory deterrence given these very difficulties in identifying an attacker, but does not address how the Defense Department will assess an attacker's motivations without knowing his or her identity.)