Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

Our nation faces risks far greater than a rogue flash drive: Failure to properly safeguard our consumer and industry systems; unwillingness to invest in ongoing security; and ordinary computer users playing with digital weapons of mass destruction.
Written by David Gewirtz, Senior Contributing Editor on

Updated: With the news about how 250,000 confidential diplomatic cables got released by Wikileaks, this article becomes even more relevant.

The September/October issue of Foreign Affairs is now available online and within its virtual pages is one of the most important cyberwar articles in modern history.

Written by United States Deputy Secretary of Defense William J. Lynn III, the article is as important to understanding America's global cyberwarfare strategy as the Monroe Doctrine was to understanding America's approach to foreign affairs.

It should be noted that Secretary Lynn is the #2 person at the Pentagon, effectively the Pentagon's chief operating officer and operates as the Secretary of Defense by delegation in the absence of SecDef.

This article, written by Lynn at this time, is more, therefore, than simply an opinion piece by a government functionary. It is a detailed description of American policy in what Lynn calls:

As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare.

Later today, you'll be able to hear an interview I did on this matter with Voice of America, where I discuss many of the questions that have come up since Lynn's article became available.

One issue that's caused a lot of concern is Lynn's admission that the United States was the victim of a cyberattack in 2008. The attack was caused by an infected flash drive, which propagated attack software throughout a military network.

In my roles as Cyberwarfare Advisor for the International Association of Counterterrorism and Security Professionals, a member of the FBI InfraGard program, and a technology editor and advisor, I have been warning about the flash drives, thumb drives, iPods, iPhones, cameras, and all forms of removable media as a cybersecurity risk for years now.

Given that most of us can roll with 16-32 gigabytes just in our phones, it's possible for an enemy (or an unwitting accomplice) to bring very dangerous software behind the firewall simply by carrying in a phone or an iPod. It's also possible for an enemy to remove vast amounts of secured information simply by loading up an iPhone or other handheld device.

The risks, as Lynn details, are far more than just rogue flash drives. However, what this incident shows is the asymmetric nature of cyberwarfare. It's very easy and very inexpensive for an enemy state, an enemy actor, a terrorist organization, a crime organization, or even teenage hackers to cause measurable damage. For a detailed backgrounder on this disproportionality factor, I recommend reading my article, The coming cyberwar.

One question I was asked by Voice of America is important to address. I was asked if Lynn's article discloses too much information and gives an advantage to our enemies.

The answer to that is an emphatic "no". First, there's nothing in that article our enemies don't know. Regular, non-technical readers may find it containing shocking news, but for those of us responsible for dealing with cyberattacks, there's nothing really new from a technical perspective.

What makes this article so important is its policy implications, rather than its technical implications. In Defending a New Domain, the Pentagon's Cyberstrategy, the United States government is effectively making an international statement on the importance of cyberdefense.

It's a call to arms for our allies, a cautionary tale for American industry, and a warning shot to those who might attack us.

Before I close this article, I have one more thing important thing to say about America's cyberdefense. I've worked with a lot of people on the front lines of America's cyberdefense and these are some of the most amazingly smart and aware professionals I've every met.

The risk is not with having smart enough people on the job. The risk is our own lack of caution in keeping our consumer and industry systems properly protected, a lack of willingness on the part of managers and policy makers to invest in ongoing security, and the challenge that ordinary computer users are, effectively, playing with digital weapons of mass destruction with barely any awareness of the basic risk.

My final recommendation is simple. Read Lynn's article. If you're an IT professional of any level, it's one of the most important pieces you'll read this year. (One note: you will need to register to read the article, but registration is free).

Editorial standards


Southwest Airlines has a big problem and customers may not know it

Southwest Airlines has a big problem and customers may not know it

Trade in your old devices for Amazon gift cards. Here's how
Google Pixel Car Crash Detection

Trade in your old devices for Amazon gift cards. Here's how

Tesla's first Optimus robot comes alive, Musk says it will cost less than $20,000

Tesla's first Optimus robot comes alive, Musk says it will cost less than $20,000