The Obama administration has revised federal policy, enabling the military to assist during a domestic cyber-attack, reported the New York Times on Oct. 21.
Typically, the military cannot deploy units within the country's borders, except for natural disasters, and even then, a presidential order is required. However, under a new agreement between the Department of Defense and the Department of Homeland Security, military cyber experts can now be called upon if critical computer networks in the United States are attacked.
Robert J. Butler, the Pentagon's deputy assistant secretary for cyber policy, told the Times that this policy change will allow agencies to focus on how to respond to such attacks more effectively. The two agencies "will help each other in more tangible ways than they have in the past," Butler stated in an article in Defense News, an Army Times publication. He added that closer collaboration will provide "an opportunity to explore new ways for national cyber incident response."
The new rules enable domestic security officials to utilize the Pentagon's military expertise and the intelligence capabilities of the National Security Agency. "DoD's focus is really about getting into the mix. We want to plan together and work together with other departments," Butler said, emphasizing the need for mutual understanding of military and civilian cyber defense capabilities.
Homeland Security Secretary Janet Napolitano and Defense Secretary Robert Gates signed the memorandum. It ensures a swift and legal response to a cyber-attack, eliminating debates over authority and responsibility, according to the New York Times. While the Department of Homeland Security will still lead cyber-defense efforts, the Department of Defense will provide cyber-attack expertise to various government entities and select private corporations.
Officials involved in drafting the rules aimed to ensure a rapid response to cyber threats while balancing civil liberties concerns. Butler mentioned that teams of lawyers would monitor for potential civil liberties violations.
Once the president gives the order, a team of Pentagon cyber experts will be sent to Homeland Security's operations center. Meanwhile, Homeland Security officials will be dispatched to Fort Meade, where the National Security Agency and the Pentagon's Cyber Command are located.
The majority of the government's computer network capabilities are also at Fort Meade. Officials explained that the policy change was necessary because most of the government's computer network defense expertise is within the Pentagon, while key targets are on domestic soil. These targets include government operations and public-facing systems like financial networks and regional power grids.
Improving agency and industry "situational awareness" in cyberspace is a key objective for the Department of Defense. However, developing and maintaining a clear picture of cyber threats is challenging due to the ever-evolving nature of the Internet, Butler noted.
In the event of a cyber-attack, identifying the attacker and defining what constitutes an attack remain difficult tasks. "As we move forward, one of the key things we have to agree on is the taxonomy," Butler said. There is ongoing debate about terms like "cyber-war," "cyber-attacks," and "hostile intent," with no consensus on their exact meanings.
In late August, Homeland Security conducted Cyber Storm 3, a national cyber-incident response exercise. The exercise involved federal and state entities, the private sector, and international partners. Butler said it helped government officials think through possible scenarios. "We were able to work out what the threat was, what the appropriate response was, who takes action, and how to determine conditions and postures," he explained.