By Tamara Jones
The United States is ready on paper to engage in cyber warfare if needed, but lacks “the speed and agility” to successfully defend itself against its enemies in the Information Age, according to one of the country’s top military experts in the field.
Speaking at a forum the GW Center for Cyber and Homeland Security (CCHS) hosted Monday assessing the Department of Defense cyber strategy Maj. Gen. Christopher P. Weggeman said the United States still needs to establish “street cred” to deter cyber attacks.
“We have to prove … that we are as good as we say we are,” said Maj. Gen. Weggeman, director of plans and policy (J5) of U.S. Cyber Command.
The event was convened with the support of Northrop Grumman. The panel of experts from the military, private and federal sectors analyzed the strengths and weaknesses of Pentagon strategy put in place 13 months ago.
Rep. James R. Langevin (D-R.I.), the keynote speaker and ranking minority member of the Subcommittee on Emerging Threats and Capabilities of the Armed Services Committee in the House of Representatives, identified the three key components of cyber-deterrence as “denial, resilience and response.”
“In the cyberspace world, one often hears there is no real way to stop determined nation-state level attackers, and this is certainly true,” Mr. Langevin said, “however the vast majority of successful cyber breaches are not the result of advanced or even moderately skilled threats, but of basic vulnerabilities such as unpatched systems, poor cyber hygiene, weak authentication management....”
Filling security gaps “swiftly and efficiently” builds resilience against attacks, Mr. Langevin said, adding, “we’ll see the marginal bad actors start to fall off” when it costs them more to mount an attack, and the payoff is lower if they do.
“Let’s face it: Modern warfare is forever changed,” the congressman said. “We will never see combat situations where there is not a cyber component.”
So far, he noted, only nation-state adversaries have the weapons to effectively attack, but not the will, while organizations such as ISIL have the will but not the weapons. “My concern is how soon would that divide be bridged?” Mr. Langevin said.
CCHS Director Frank Cilluffo, who moderated the panel discussion—which included Charles Snyder, the Office of the Defense Secretary’s liaison to Congress for Defense cyberspace programs—asked whether rules of engagement are in place. “Are we ready?” he asked Maj. Gen. Weggeman.
“We are ready, actually,” Maj. Gen. Weggeman replied. “The portfolio of structures and authorities is in place. Do we have the speed and agility we need? No. But it’s coming quickly.”
However, not every cyber attack is “an act of war,” Mr. Langevin said, and “no attack on U.S. cyberspace so far” has risen to that level. Beyond the Pentagon’s offensive strategy, he urged the use of tools such as economic sanctions and criminal indictments.
Added panelist Mark Young, CCHS senior fellow and executive with IronNet Cybersecurity: “The DoD is attacked thousands of times a day, and we shouldn’t be responding to all of those thousands.”
He cited the 2014 hack of Sony Pictures, allegedly by North Korea, as “the kind of thing where there would have been significant consequences had we had the tools in place” at the time.
Michael Papay, vice president and chief information security officer for Northrop Grumman Corp., emphasized the importance of a united front by potential public, private, corporate and military targets against cyber attacks.
“The sharing of information is really important to get the right people in the right jobs” to counter threats, Mr. Papay said. “We need to work hard at sharing the best people we’ve got to solve the problem we have in front of us right now.”