The Pentagon’s plan to set up a command to defend its global network of computer systems has been slowed by congressional questions about its mission and possible privacy concerns, according to officials familiar with the plan.
Key questions include: When do offensive activities in cyberspace become acts of war? How far can the Pentagon go to defend its own networks? And what kind of relationship will the command have to the National Security Agency?
“I don’t think there’s any dispute about the need for Cyber Command,” said Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations. “We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”
One senior defense official said officials are trying to figure out, for instance, to what extent it is legal and desirable to remove malware outside the gateways as it heads to military networks.
“What can you do at the perimeter?” he said. “What can you do outside the perimeter? We haven’t had resolution on that.”
Privacy advocates are sensitive to government monitoring of communications networks at or just outside the gateways, particularly if the effort involves private Internet carriers, out of concern that purely private, non-government communications could be monitored. But defense officials said they are not contemplating the involvement of private firms.
NSA Deputy Director Chris Inglis said in a recent interview that “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.”
“If we led with attack, people would say, ‘That’s just nuts. That’s completely irrational,’ ” he said. “You’ve got to be about the defense.”
Beyond a cyber command, the Pentagon is grappling with a dizzying array of policy and doctrinal questions involving cyber warfare.
Who should authorize a cyber attack on an adversary that might be capable of undermining the United States’ financial system or energy infrastructure? What degree of certainty is needed about an alleged attacker before authorizing a response? When does an effort to defend a U.S. military network cross the line into an offensive action?
Many of these questions will be answered down the road, after the command is launched, and perhaps some won’t be answered for years, defense officials said.