The Pentagon made it clear last November that it saw hacking and cyber attacks as acts of aggression that merited a military response. This past Tuesday, the head of Cyber Command provided insight on new rules of engagement that are being considered for such threats. General Keith Alexander told members of the Senate Armed Services Committee that one goal of the changes would be to expand the Department of Defense's role, thereby granting the White House more control should the US be struck by a large-scale attack. Under the proposed rules, the Department of Homeland Security would work with private companies to protect domestic networks, but should it be discovered that an attack was originating from a foreign source, then the DOD would take over.
The DOD's standing rules, first implemented in 2005, were designed only to cover its own internal networks, a concern that looks increasingly narrow as attacks against numerous different targets have stacked up in recent years. Falling victim to hacking attacks has become so common that Shawn Henry, the head of the FBI's Criminal, Cyber, Response, and Services Branch, went so far as to tell the Wall Street Journal that the US is in fact losing its battle to keep its corporate networks safe. "It's an unsustainable model," he said. "Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security." According to Henry, companies can be compromised for months if not years before noticing, and they need to respond by adapting to the realities of the situation — including taking their most sensitive data off networks altogether. Playing defense doesn't work, Henry says, when the "skills of the adversaries are so substantial that they just leap right over the fence."
Echoing Henry, the Pentagon's new guidelines would require a closer working relationship between private companies and the DOD. However, it's due not only to the large number of vulnerable private-sector targets like banking institutions, but because there is also a breadth of knowledge to be gained there as well. "Industry... sees [malware] signatures that government does not see," Gen. Alexander told the committee, noting that information sharing could help the DOD recognize attacks before they actually occur. There's no timeline yet as to when the Pentagon will be finalizing and implementing its new guidelines.