Today, the U.S. military can defend its networks within and at their perimeter, yet it is less able to prevent attacks before they occur. The military is essentially limited to a reactive and forensic posture as opposed to a dynamic and preventive one. The Panel believes the United States must have the ability to defend its critical networks beyond the boundaries of its own infrastructure to forestall catastrophic cyber threats before our networks or the information they contain are damaged or destroyed. We need an active immune system with the capacity and authority to shut down an attack instantaneously at the point of origin. However, this defensive footing is more a matter of the proper authorities than of technology. We need to identify the kinds of attacks we can treat diplomatically as acts of war, and eliminate them.
An active immune system—an automatic, self-healing network—that protects our networks is in some ways a whole new paradigm. The capability should be predicated on a set of standing rules of engagement (SROE) that is sufficiently flexible to respond to myriad threats. These SROEs must account for the expanded event horizon and compressed timeline that characterize operations in cyberspace. The mechanisms, means, and modes the Department uses to render assistance to other departments, agencies, or branches of government is unclear. The Department of Defense should be responsible for cyber security of the
It will be interesting to see what kinds of hacks and attacks will be classified as "acts of war", and how the U.S. plans on a) pre-identifying such kinds of attacks based on either the nature of the instrument used (trojan horse, virus, etc), or possibly on the effect of the attack; b) timely justification an active "immune system" response when the attack originates on foreign soil or in foreign servers that allows for a credible response yet denies the attacker time to escape retribution, and the level of the response to eliminate the threat; and c) the prevention of collateral damage (e.g. how do you take out just portions of a critical server that may be an unsuspecting host to the attack. The QDR Independent Panel report can be found here: http://www.foreignpolicy.com/files/fp_uploaded_documents/100728_QDR%20Ind.%20Review%20Rept.%207.27.10.pdf