On Saturday, defense contractor Lockheed Martin admitted that it had come under a ““significant and tenacious” cyber attack. Nevertheless, the nation’s largest defense contractor added that, “Our systems remain secure; no customer, program, or employee personal data has been compromised.” Considering the scope of Lockheed Martin’s contracts, this is especially good news. The company provides the Department of Defense with everything from F-22 fighter jets and Trident missiles to wartime communications satellites.
The news follows an admission by EMC of Massachusetts in March that its RSA division, which manufactures SecurID, was breeched and that information about the security system was stolen. The Lockheed Martin attack was conducted through the company’s remote access system, which requires SecurID hardware tokens. This has led many to speculate that the two attacks were related.
Security blogger Bob Cringley described the attack as, “very subtle and not easy to spot,” but notes that Lockheed Martin not only detected it but responded appropriately. Still, he muses, “Is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably isn’t the first such network penetration from the recent RSA hack … or the last.”
The Pentagon is taking the threat of cyber attacks very seriously, determining that computer sabotage originating in another country could be considered an act of war. The Wall Street Journal reports one military official warning hostile states saying, “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
One major idea being discussed by the Pentagon is the concept of “equivalence.” This would regard a significant cyber attack that results in damage to infrastructure or death on par with a more conventional military attack to be treated the same way. “A cyber attack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same,” says retired Major General Charles Dunlap.
The Pentagon’s proposal also calls for synchronizing U.S. policies regarding cyber-attacks with its allies in NATO and other countries. According to many analysts, such attacks are becoming increasingly common. The Stuxnet virus attack on Iran’s nuclear facilities is rumored to have originated in Israel, possibly with American assistance, but American companies are equally vulnerable to such attacks. In January 2004, for instance, the Washington Post reported that at least 34 American companies, including Google, Dow Chemical, and another defense contractor, Northrop Grumman were victims of a concerted cyber-attack originating in China.
Though the Chinese government denies all involvement in these attacks, even if the hackers live there, it could possibly be interpreted as an act of war under the claim that China “harbored” the hackers. At the time, Whitehouse Spokesman Nick Shapiro said that, “The recent cyber-intrusion that Google attributes to China is troubling, and the federal government is looking into it.”
While such attacks are considered espionage, had they caused damage to American industries and infrastructure, would they have been subject to the same responses that the newly released Pentagon document warrants?
As far back as 2009, Newsweek reported that Secretary of Defense Robert Gates was considering the creation of a new Cyber Command at the Pentagon. That would be the kind of Command that integrates espionage with military action. With Leon Panetta stepping in to replace Gates, that may be a new focus of Pentagon strategy.