If there's a sudden cyberattack on the U.S. Navy, Jim Granger could be among the first to know since it's his job to keep watch.
"We monitor the Navy's grid," says Granger, who is director of capabilities and readiness at the Navy Cyber Defense Operations Command in Norfolk, Va., home to the Naval Network Warfare Command. Granger works with a team of cyber-defense operations specialists in a security operations center, hunkered down behind computers to keep an eye on networks the Navy uses -- such as the Navy-Marine Corps Intranet -- both on land and at sea.
Distributed intrusion-prevention and firewall sensors send real-time data to be analyzed by what the Navy calls its Prometheus system, which includes the Novell Sentinel security event management system and SAS data management tools.
There are hundreds of thousands of alerts each day, though "not all are necessarily attacks," Granger says. The Navy's Cyber Defense Command Center is, in some respects, like a security operations center at a large organization in the commercial sector, he says.
But this is the U.S. military, which has to be prepared to protect the nation and is dependent on networking to do that. Robert Lentz, assistant secretary of information assurance at the Department of Defense, recently made that point when he said that without network support, aircraft couldn't fly. The Army and Air Force also have their own cyber-defense command operations, and they strive to work together through the Joint Task Force – Global Network Operations (JTF-GNO).
But how can the individuals in any cyber-defense operations command be sure about the exact nature of an attack? Is it coming from an enemy state or militant groups such as Al-Qaeda or simply a lone attacker who has put together an arsenal of network attack tools?
"We're trying to winnow the massive data stream to something that is actionable," Granger says. "We have to provide network-domain awareness" to the technical analyst on up to the four-star general. But while the Navy can see the attacks and block them through various means, pinning down attribution "is extremely difficult," Granger notes.
Granger's sentiments on that score aren't unique. Security experts tend to agree that while attacks of all sorts can often be traced back to certain IP addresses, being absolutely certain of the source of an attack is another problem altogether.
That raises the questions: What is a cyberattack and when might it be seen as the start of a cyberwar? Will the U.S. -- or any other country -- be able to recognize a cyberattack for what it is? And how might the U.S. consider using cyber weapons offensively?
These questions are getting attention in the highest reaches of the Pentagon and federal government. Much of the discussion is not made public, but there's growing belief that it should be as the cyber-arms race accelerates largely behind closed doors.