Hackers Gained Access to Sensitive Military Files

By THOM

SHANKER and ELISABETH BUMILLER

Hackers Gained A By THOM SHANK http://w w w .nytim default July 15, 2011

Published: July 14, 2011

The New York Tim nytimes.com

12
Bottom of Form

WASHINGTON The Defense Department suffered one of its worst digital attacks in history in March, when a foreign intelligence service hacked into the computer system of a corporate contractor and obtained 24,000 Pentagon files during a single intrusion, senior officials said Thursday. The disclosure came as the Pentagon released a strategy for military operations in cyberspace, embodying a belief that traditional passive programs for defending military and associated corporate data systems are insufficient in an era when espionage, crime, disruptions and outright attacks are increasingly carried out over the Internet. In releasing the strategy, William J. Lynn III, the deputy defense secretary, disclosed that over the years crucial files stolen from defense and industry data networks have included plans for missile tracking systems, satellite navigation devices, surveillance drones and top-of-the-line jet fighters. A great deal of it concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols, Mr. Lynn said. Officials declined to identify the military contractor whose data system was compromised in the March attack. They also refused to name the nation they suspected was the culprit, saying that any accusation was a matter of official, and perhaps confidential, diplomatic dialogue. However, when major intrusions against computers operated by the Pentagon, the military or defense industry contractors have occurred in the past, officials have regularly blamed China, and sometimes Russia. The hacking attack in March, which stole important Pentagon files in the computer network of a contractor developing a military system, had not been previously disclosed. Other breaches have been discussed, including earlier this year at Lockheed Martin, the nations largest military contractor, and at RSA Security, which produces electronic identification for computer users.

Current countermeasures have not stopped this outflow of sensitive information, Mr. Lynn said during a speech at the National Defense University. We need to do more to guard our digital storehouses of design innovation. The Pentagons new strategy, the final piece of an effort by the Obama administration to defend computer networks operated across the government and private sector, calls for what is termed dynamic defense: looking for potential attackers on the Internet rather than waiting for an intruder to attack. It also calls on the Pentagon to build resiliency into its computer networks to help recover if attacked. Mr. Lynn also stressed the importance of cooperation with foreign partners to spot computer network threats overseas, before they compromise systems here. But James Lewis, an expert on computer network warfare at the Center for Strategic and International Studies, said the Pentagons computer networks were vulnerable to security gaps in the systems of allies with whom the military cooperates. Americas allies are all over the map on cybersecurity issues, Mr. Lewis said. Some are very, very capable and some are clueless. The militarys Cyber Command was created to coordinate defensive and offensive operations for Pentagon and military computer networks. Officials speak obliquely of its capabilities for carrying out offensive operations in cyberspace if ordered by the president. And for now, the new strategy is centered on how the United States can defend itself. But Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, said the Pentagon also had to focus on offense including the possibility of responding to a cyberattack with military action. If its O.K. to attack me, and Im not going to do anything other than improve my defenses every time you attack me, its very difficult to come up with a deterrent strategy, General Cartwright told reporters on Thursday. He said that in regard to cyberdefense, American military commanders were now devoting 90 percent of their attention to building better firewalls and only 10 percent to ways of deterring hackers from attacking. He said a better strategy would be the reverse, focusing almost entirely on offense. The Pentagon, he said, needs a strategy that says to the attacker, If you do this, the price to you is going to go up, and its going to ever escalate. He added that right now were on a path that is too predictable its purely defensive. There is no penalty for attacking right now.

Officials say the main challenge for the United States in a retaliatory cyberoperation is determining the attacker. The Internet makes it relatively easy for online assailants to mask identities, even if the geographic location where the attack originated can be confirmed. Mr. Lynn said most major efforts to penetrate crucial military computer networks were still undertaken by large rival nations. U.S. military power offers a strong deterrent against overtly destructive attacks, he said. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. However, he warned that the technical expertise needed to carry out harmful Internet raids was certain to migrate to smaller rogue states and to nonstate actors, in particular terrorists. If a terrorist group obtains disruptive or destructive cybertools, we have to assume they will strike with little hesitation, Mr. Lynn said. The new strategy describes how the militarys capabilities would support the Department of Homeland Security and federal law enforcement agencies. And it acknowledges how much the military relies on private sector computer networks for such vital supplies as electricity.

A version of this article appeared in print on July 15, 2011, on page A6 of the New York edition with the headline: After Suffering Damaging Cyberattack, the Pentagon Takes Defensive Action.