By Noah Shachtman
For one day, at least, you can call off the cyberwar.
The Pentagon has revealed an unclassified version of its “Strategy for Operating in Cyberspace.” And despite a drumbeat of scare talk and digital sabre-rattling in Washington, the document takes a measured, reasonable approach — focusing on good network hygiene and data-sharing, rather than bombing hackers into submission.
The question is whether this public summary conveys what’s actually in the classified strategy, or reflects the real mood of the Department of Defense.
“DoD would like to be much more aggressive in what it says and how it acts,” says a source familiar with the development of the strategy. “But that tendency to be aggressive has been reined in by the State Department, Treasury, and the White House, and not in an unreasonable way.”
Listen to the talk inside the Washington Beltway — and especially within the Pentagon — and you’d think hackers were about to reach their hands through our computers, and strangle us all in our sleep.
WIRED: Insiders doubt 2008 Pentagon hack was foreign spy attack
“The United States is fighting a cyber-war today, and we are losing,” retired admiral and former National Security Agency chief Mike McConnell wrote in the Washington Post last year.
Defense Secretary Leon Panetta claimed cyber attacks could be the “next Pearl Harbor we confront.” Or perhaps the next Hiroshima.
Senator Carl Levin declared that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects” during an April 2010 (.pdf) hearing.
According to the Wall Street Journal, the Pentagon has come to the conclusion that “computer sabotage… can constitute an act of war.” As one military official tells the paper: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
Yet the Pentagon strategy uses tones of cooperation, not confrontation, in the strategy it released today.
“By sharing timely indicators about cyber events, threat signatures of malicious code, and information about emerging actors and threats, allies and international partners can increase collective cyber defense,” the document notes. “Cyberspace is a network of networks that includes thousands of ISPs [Internet Service Providers] across the globe; no single state or organization can maintain effective cyber defenses on its own.”
WIRED: Cyber war hype intended to destroy the open Internet
Yes, there are all kinds of bad guys out there on the internet, the strategy adds. But many of them are out for money, not for blood.
“The tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate, and many of these capabilities can be purchased cheaply on the internet.”
And the best way to stop these crooks is through strong passwords, up-to-date software, and keeping unclassified disks and drives off of secret systems.
“Most vulnerabilities of and malicious acts against DoD systems can be addressed through good cyber hygiene,” document adds.
If there was a nod to the McConnell crowd — who’d like to “reengineer the internet” to make everyone trackable online — it was in the declaration that “DoD will pursue revolutionary technologies that rethink the technological foundations of cyberspace.” But the nod was a subtle one.
Behind closed doors, some Pentagon officials take a much harder line. There have been calls to massively shift Defense Department spending from defensive measures to online offense.
Other countries — especially the Chinese, they believe — had infiltrated every corner of the military-industrial complex, and need to be shoved back. Every fresh online break-in brings a fevered call to declare the intrusion an “act of war.”
But that view is not universally shared in Washington. “There is no cyberwar,” White House cyber czar Howard Schmidt has repeatedly said. And those more rational voices helped keep the rhetoric in this Pentagon strategy from overheating.
As one source who watched the strategy develop, says: “This the result of a long, political process.”
But this is hardly the final document, Gen. James “Hoss” Cartwright tells reporters.
“This strategy talks more about how we are going to defend the networks,” says Cartwright, the Vice Chairman of the Joint Chiefs of Staff and one of the most influential voices on cybersecurity in the Defense Department. “The next iteration will have to start to talk about here’s a strategy that says to the attacker, ‘If you do this, the price to you is going to go up. It’s not just free.'”
“Today, we are on a path that is way too predictable. It’s purely defensive. There is no penalty for attacking right now,” Cartwright adds. “We’ve got to figure out a way to change that.”