WASHINGTON (Reuters) - A foreign intelligence service stole 24,000 files from a U.S. defense contractor earlier this year, a dramatic illustration of the threat confronting the Pentagon as it works to bolster military computer security, a top defense official said on Thursday.
Deputy Defense Secretary William Lynn revealed the theft as he unveiled a new Pentagon cybersecurity strategy that designates cyberspace as an “operational domain” like sea, air and land where U.S. forces will practice, train and prepare to defend against attacks.
Lynn said the theft occurred in March and was believed to have been carried out by a foreign intelligence service and targeted files at a defense contractor developing weapons systems and defense equipment. He declined to specify the country behind the attack, what company was hit or what the files contained.
“It was 24,000 files, which is a lot,” Lynn said. “But I don’t think it’s the largest we’ve seen.”
The theft was a dramatic illustration of the rising difficulties the Pentagon faces in protecting military and defense-related networks critical to U.S. security.
Defense Department employees operate more than 15,000 computer networks and 7 million computers at hundreds of installations around the world. The department’s networks are probed millions of times a day and penetrations have compromised huge amounts of data.
Lynn said a recent estimate pegged economic losses from theft of intellectual property and information from government and commercial computers at over $1 trillion.
In addition to calling for the Pentagon to treat cyberspace as an “operational domain,” Lynn said the new strategy includes four initiatives aimed at bolstering network security by layering defenses and improving cooperation with other network operators.
Lynn said as part of its active defenses, the Pentagon would introduce new operating concepts and capabilities on its networks, such as sensors, software and signatures to detect and stop malicious code before it affects U.S. operations.
“Our strategy’s overriding emphasis is on denying the benefit of an attack,” he said in a speech at the National Defense University. “If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”
The strategy also calls for greater U.S. military cooperation on cybersecurity with other government agencies, defense contractors and U.S. military allies abroad in order to take advantage of the open, interwoven nature of the Internet.
Former Homeland Security Secretary Michael Chertoff, who now heads the Chertoff Group risk management firm, praised the strategy as a “good first step” but said the challenge would be filling in the details.
“It’s not put your pencil down, work is done,” he said. “It really just sets the table for a lot of hard work thinking through the details of what the plans are going to be, what the capabilities have to be and how we’re going to build the various layers of defense.”
He cited the possibility of creating secure communities on the Internet for some functions, finding ways to encourage individuals to practice computer security and sharing security-related information more widely between public and private sectors.
“These are going to be hard things to do because they are going to require trade-offs,” Chertoff said. “You’re not going to eliminate the risk of cyberattacks. What you have to do is minimize and manage those risks.”
General James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems.
“If your approach to the business is purely defensive in nature, that’s the Maginot line approach,” he said, referring to the French fixed defensive fortifications that were circumvented by the Nazis at the outset of World War Two.
“If it’s OK to attack me and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy,” he said.
Cartwright said part of the answer was to build up the military’s offensive response capabilities.
“How do you build something that convinces a hacker that doing this is going to be costing them and if he’s going to do it, he better be willing to pay the price and the price is going to escalate, rather than his price stays the same and ours escalates,” Cartwright said.
“We’ve got to change the calculus.”
Editing by Todd Eastham and Bill Trott