The Pentagon’s Cyber Command has called for a five-fold increase in the number of its cybersecurity personnel, from about 900 to nearly 5,000. The story, first broken by the Washington Post, described a request by the Defense Department’s cyberwar unit for a dramatic expansion in resources, which it says are needed to protect the nation’s power grids, dams and other ‘critical infrastructure,’ to support offensive combat operations abroad, and to protect the military’s own command and control networks.
While not yet officially approved, the request is in line with a vigorous effort by the Administration to ramp up government capacity in this arena. Secretary of Defense Leon Panetta made headlines last October with a speech warning of a “Cyber Pearl Harbor”, and earlier in the year the Pentagon’s Defense Advanced Research Projects Agency (DARPA) floated a plan thrillingly described as ‘Plan X’ for Cyberspace. The Administration’s focus was further confirmed this past weekend by media reports broken by the New York Times of the completion of a legal review concluding that President Obama has authority to order preemptive strikes to counter credible threats of attacks on U.S. military or civilian networks.
Congress has spent years attempting to fashion comprehensive cybersecurity reforms, primarily focused around the Lieberman-Collins Cybersecurity Act of 2012. The comprehensive legislative reforms fizzled over civil liberty concerns and reservations in the business community about a possible government overreaching despite an appeal by President Obama in the Wall Street Journal. However, some modest cyber provisions were enacted. The 2013 National Defense Authorization Act gives the DOD new powers, to be implemented under procedures yet to be established, to require reports from “cleared” defense contractors on any successful penetrations of their information systems, although reports are explicitly required only when data has been ‘exfiltrated.’
After Congress failed to enact comprehensive cybersecurity reforms in 2012, it has become apparent that the Administration is determined to do by executive authority what it could not obtain through legislation. The White House has internally circulated several draft Executive Orders and is reportedly close to issuing a final Executive Order after the State of Union address. The drafts floated plans to use existing regulatory authority to establish a new cybersecurity regulatory framework and promote information-sharing on cybersecurity matters between government and the private sector, through a voluntary program to include owners and operators of Critical Infrastructure” (defined in 42 U.S.C. 5195c(e)). The draft Orders refer to “incentives” for compliance by private sector owners and operators, and also to annual reports by Sector Specific Agencies (defined in Homeland Security Presidential Directive 7) on the extent to which companies are participating in the program, leading to some speculation about just how “voluntary” the new reporting will actually be.
The federal government anticipates that cyberattacks on U.S. government and private sector systems, already occurring with unprecedented frequency against newspapers, consumer firms, and financial institutions (and reportedly a number of utilities as well), will continue to increase in intensity and competency. Although the objectives of the federal programs are more often described as “defensive”, with much of the talk referring to the usual suspects - state actors or patriotic volunteers in China and Russia, and of course Iran - it should be pointed out that some of the concern is for possible blowback from earlier US operations overseas. The Stuxnet virus, for instance, which in 2009 and 2010 and caused Iranian centrifuges and turbines to spin out of control to the point of self-destruction, thereby setting a new global standard for offensive cyber weaponry, is generally thought to have been a joint U.S. - Israeli operation. On its way to Iran Stuxnet passed through hundreds or thousands of other sites around the world, until it was identified by a security firm in Belarus. Once a cyber weapon has been analyzed by experts, it is generally feasible to reverse-engineer it, and there is concern now that Stuxnet, a related system called Flame, or new programs incorporating their advanced features, may now be turned back on U.S. critical infrastructure systems.
And so the Cyber Command has issued its call to arms. One challenge for the expansion effort is that there are probably not enough qualified people to meet the government recruiting targets. Cyber-summer camps and scholarships may eventually deepen the applicant pool, but the need is immediate, and so the government has turned to computer hackers. Government representatives have already appeared from time to time at DefCon, the annual hacker convention, mingling with the mohawked and tattooed attendees to try to pick up useful information and, possibly, do some recruiting. But the hacker community has a long tradition of viewing government as an adversary, and it is particularly roiled now by anger over the suicide of Reddit founder Aaron Swartz, considered by many to be a victim of overzealous federal prosecution. (In an act of claimed revenge, the hacker collective Anonymous recently took down sites belonging to MIT and to the DOJ’s sentencing division.) And ‘dark side’ hackers who do make the decision to go mainstream can usually make more money working for large corporations or consulting firms, so the government’s recruitment program could hit some slow going. In view of the urgency of the need it may be anticipated that the U.S. government, as well as federal contractors and the operators of critical infrastructure systems, will be looking far and wide for assistance in the cyberspace struggles to come.