The cyberattack that awakened the Pentagon

The 2008 breach of the Pentagon’s classified and unclassified networks by a relatively unsophisticated worm was a wakeup call for the military, said Deputy Defense Secretary William J. Lynn, who today outlined the DOD’s developing strategy for defending against and responding to cyber attacks.

Lynn declassified at least some of the details of the intrusion and subsequent cleanup effort, called Operation Buckshot Yankee, for an article to appear Thursday in the journal Foreign Affairs. In it, he said the intrusion was caused by a worm uploaded from a flash drive by a foreign intelligence agency and spread through DOD classified and unclassified networks.

“It isn’t the most capable threat, but that’s the point,” Lynn said Wednesday in a teleconference with reporters. “The important policy application is that it was done and we need a set of defenses that would prevent that going forward. We need a new strategic approach.”

Related stories:

DOD struggles to define cyber war

US already at war in cyberspace, experts say

Lynn outlined the five pillars of the new strategy, one of which would include extending DOD protection to non-military critical infrastructure.

“The .mil networks do not exist in a vacuum,” he said. But he added that the Homeland Security Department has priority in defending the .gov and .com domains and that DOD and the National Security Agency would play only a supporting role. “The call there is Homeland Security,” he said. “We would follow the Homeland Security lead.”

Lynn’s disclosures of Buckshot Yankee offered few new details of the incident. The breach had been widely reported in 2008 and it was known that the malware responsible was the agent.btz worm, which spread by exploiting the Microsoft AutoRun function that automatically runs programs on removable drives when attached to a computer. The most significant revelation from Lynn was his insistence that the breach was the work of a foreign nation, although he refused to identify the country or how the attack was attributed. He also did not say whether the worm actually succeeded in stealing or corrupting data on the DOD systems.

“It is tied to a foreign intelligence service,” he said. “The important thing is that it did occur and the threat exists.”

To counter that threat, a document detailing the DOD’s strategic cyberdefense and response posture will be developed this fall. Lynn said he expected it to be completed by year’s end. He said the strategy will consist of five pillars, some of which already are being implemented by the Pentagon:

• Recognize cyberspace as a new domain of warfare, alongside land, sea, air and space. This has been officially done with the creation of the U.S. Cyber Command, which became active earlier this year and is expected to achieve full operational capability in a few months. It is collocated with the National Security Agency at Fort Mead, Md.
• Extend our defensive posture beyond good computer hygiene and traditional perimeter defenses. “We need a sophisticated and active defense” capable of responding “at network speed," Lynn said.
• Extend protection beyond the .mil networks to the critical infrastructure that supports the DOD and much of the nation’s economy.
• Pursue international cooperation for the sharing of information and warnings. Lynn said he has been in talks with the United Kingdom, Canada and Australia about such cooperation, and expects to extend those talks to NATO in the coming months.
• Maintain U.S. IT dominance with a cadre of trained professionals backed up by sophisticated automated tools. This also would require adapting government IT acquisition policies to match the speed of technological change.

Although the Pentagon is in the process of establishing cyber defenses and strategies, defining cyberwarfare remains a challenge, Lynn said. Defining the points at which intrusions become espionage or an act of war still remains to be done.

“We are still working through where these thresholds are,” he said. “This is far less clear than for nuclear” warfare, which defined the strategies of the Cold War.

One particular problem is attribution, or the ability to identify the source of an attack.

“Attribution is very difficult,” Lynn said. “Even when you can do it, it takes a long time.” Because of this, the country’s cyberdefense strategy is likely to rely more on denying our enemies the benefits of an attack rather than on retaliation, which was the backbone of the U.S. Cold War strategy.