The Defense Department is finalizing sweeping changes to rules that govern how it defends American networks as well as how it launches attacks in cyberspace, Defense Secretary Leon Panetta said on Thursday.
“The new rules will make clear that the department has a responsibility not only to defend DOD’s networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace,” Panetta said in remarks prepared for national-security business executives in New York. The speech implies that officials are prepared to preemptively respond to an “imminent threat” of cyberattack.
The Defense Department has the capacity to locate hackers and “hold them accountable” for attacks on the United States, Panetta said.
If officials detect an “imminent threat of attack that will cause significant physical destruction or kill American citizens,” the military has the capability to “conduct effective operations to counter threats to our national interests in cyberspace,” he said.
The new policies will be the “most comprehensive change” to the rules of engagement in cyberspace in seven years, Panetta said. “These new rules will make the department more agile and provide us with the ability to confront major threats quickly.”
For the past year, the Pentagon has been working with other agencies to better define the lines of responsibility in cyberspace. DOD has traditionally protected military networks and websites, while the Homeland Security Department has protected civilian government networks and websites and worked with the FBI and other agencies to help police private networks.
Panetta said DOD’s mission should be to defend the United States against cyberattacks, while supporting DHS in protecting domestic cybersecurity.
“It does not mean the Defense Department will monitor citizens’ personal computers, or provide for the day-to-day security of private and commercial networks. That is not our mission,” he said.
As part of the reforms, officials are looking at ways to boost U.S. Cyber Command’s capabilities, including giving it a “common, real-time understanding of the threats in cyberspace” that can be shared with other agencies.
“Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses,” Panetta said. “The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack.”
Besides focusing on developing new capabilities and streamlining government cybersecurity policies and organization, the Defense Department is working to cooperate with private industry and other countries.
Panetta defended the White House’s decision to consider an executive order to boost cybersecurity for American networks by developing voluntary standards for certain critical private networks.
“There is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime,” he said. “We have no choice because the threat we face is already here. Congress has a responsibility to act. The president has a Constitutional responsibility to defend the country.”
In the latest salvo, a group of congressional Republicans wrote a letter to the Obama administration on Thursday urging the president not to sign an executive order because it would undermine Internet freedom.
“It will almost certainly be exploited by other nations to justify their efforts to regulate the Internet,” the members wrote. “This is a most critical time, and we cannot afford a hasty, unilateral action that will only serve to bolster the efforts of less democratic nations to stifle the very free exchange of ideas and expression that has allowed the Internet to flourish across the globe.”
But in his speech, Panetta said that cyberthreats are rising and waiting could lead to a cyberattack that could cause physical damage or even kill Americans. “This is a pre-9/11 moment,” he said. “The attackers are plotting. Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them.”