Security planners work on cyber defense strategies at U.S. Army War College |

Security planners work on cyber defense strategies at U.S. Army War College

CARLISLE — When it comes to cybersecurity, we’re all in this together.

The nation’s best defense in cyberspace involves not only the military but private citizens and corporations, top security planners said here Tuesday in a closed-door meeting at the U.S. Army War College.

“You do not want this to be a military approach,” said speaker Mark Troutman, the director of the Center for Infrastructure Protection & Homeland Security at George Mason University. “We are Americans. We secure ourselves at the end of the day with an active and engaged citizenry.”

Participants at the Carlisle event are working to break ground on a national cybersecurity strategy that would provide direction for the federal government in the event of a major computer attack, said William Waddell, director of mission command and the cyber division at the War College.

Sessions on the first of three days of planned talks included about two dozen planners representing multiple military branches, federal agencies such as Homeland Security, National Security Agency, Defense Department and Defense contractors, as well as security professors.

The Carlisle discussions are taking place as high-level talks between the United States and China play out at the Strategic and Economic Forum in Washington. U.S. Treasury Secretary Jack Lew opened the three-day forum Tuesday by saying Washington remains “deeply concerned about government-sponsored cyber theft from companies and commercial sectors.”

The comment reflected U.S. concerns that China might have been behind a massive computer hack on the federal Office of Personnel Management involving millions of government employee files. U.S.-China talks on cybersecurity issues were suspended last year when federal prosecutors in Pittsburgh filed criminal charges against several members of the Chinese military for allegedly stealing trade secrets.

Federal officials have said cybersecurity will be discussed during the Washington forum in an effort to smooth out problems before Chinese President Xi Jinping’s scheduled first visit to the White House in December.

The Tribune-Review’s Cyber Rattling series has reported the growing online threats from nation-states, criminals and others. The newspaper was invited to Carlisle to sit in on the unclassified but background discussions, involving many top policymakers who declined to comment for attribution because of security concerns.

One top military official suggested that the response from the United States to significant online attacks should not be limited to computers but include the potential for lethal force.

The session opened with an acknowledgement of the need to move quickly. Many active and retired military and government workers talked among themselves about the personnel management hack.

“The persistence and the size of the violation of people’s integrity is concerning to me, along with the knowledge of the threat and our vulnerabilities and those pieces that affect basically all U.S. citizens,” Waddell said.

U.S. military discussions about cyber capabilities have been taking place for more than a decade, but have focused primarily on the country’s offensive capabilities rather than defenses, said Anthony Shaffer, a retired Army lieutenant colonel who is a senior fellow at the London Center for Policy Research, a New York-based think-tank.

“We don’t do (planning) to the level necessary now to understand that if we can do this to somebody else, for goodness sake, they’re going to do it to us,” Shaffer said.

The first phase of the War College’s cybersecurity focus in February laid out policy recommendations that included increasing the Defense Department’s participation in cyber-response planning at the federal, state and local levels, as well as increased private-sector accountability for critical infrastructure such as power grids.

The War College events break down barriers that prevent groups from communicating about the cyber threat and what to do about it, said Thomas Arminio, a homeland security professor at Penn State University in Harrisburg.

“We have to avoid any notion of ‘my turf versus your turf,’ ” Arminio said, “because the problem is only going to be solved by collaboration.”

Reuters contributed to this report. Andrew Conte is a staff writer for Trib Total Media

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.