The Department of Defense says it was hit by a cyberattack by a “foreign intelligence service” that managed to pilfer 24,000 sensitive files.The attack, which occurred in March, was perpetrated by an unnamed “nation state,” according to Deputy Defense Secretary William J. Lynn III, who disclosed the breach during a speech Thursday outlining the Pentagon’s new cyber strategy for dealing with cyber-breaches.
The Washington Post reports that the files were stolen from a defense contractor. Lynn did not name the “nation state” involved, nor did he disclose the nature of the files that were stolen. The admission of the breach appears to be nothing more than a justification of the Department of Defense’s new “Strategy for Operating in Cyberspace” (PDF).
The new strategy, outlined in the afore-linked 19-page document, has five “strategic initiatives,” or “goals.”
1. Treat cyberspace as an “operational domain” with specially organized, trained, and equipped forces.
2. Employ new defense operating concepts to protect DoD networks and systems.
3. Partner with other U.S. government departments to enable a “whole-of-government” cybersecurity strategy.
4. Build relationships with U.S. allies and international partners.
5. Recruit, educate and train “the nation’s ingenuity” to help improve cybersecurity.
Under the new cybersecurity guidelines, a cyberattack could be considered an act of war, and warrant a “proportional and justified military response at the time and place of its choosing,” Lynn said. Of course, for a cyberattack to be considered an act of war, it must bring effects comparable to those brought about in a more traditional act of war–massive damage, massive human losses, or significant economic damages.
“It would be in those circumstances that I think the President would consider all the tools he has–economic, diplomatic, and as a last resort, military,” Lynn said.
This is far from the first discussion of cyberattacks as acts of war–in fact, hacktivist group LulzSec is largely a product of the initial reports that the Department of Defense planned to take a more serious approach to hacking. In one of LulzSec’s first appearances, the hacking group claimed it hacked and defaced the web site of the Atlanta chapter of InfraGard, an organization affiliated with the FBI, in response to NATO and President Obama’s “upping the stakes.”
Lynn also noted that, over the past few years, “all manner of data has been stolen,” from the mundane to the incredibly sensitive, including “aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols” by “foreign intruders from corporate networks of defense companies.”
In other words, it looks like two things are true: first, the U.S. government seriously needs to put the cyber-lockdown on its data, and second, LulzSec totally misinterpreted the initial push–the DoD never really cared about Anonymous and LulzSec and 16-year-old hackers with nothing to do (until now, that is).