Secretary of Defense Jim Mattis predicted the U.S. government will one day offer cyber protection to businesses that work with critical infrastructure and may even extend such a buffer to some individuals.
The top Pentagon official said during a Sept 25. speech at the Virginia Military Institute that he envisions a voluntary program that would be spurred by the rapid change in technology.
“Because the Department of Defense has about 95 percent more of the capability to protect the country on cyber, we are probably going to have to offer to banks, to public utilities, (to) electrical generation plants and that sort of thing, the opportunity to be inside a government protected domain,” Mattis said. “It’s not going to be forced and there are constitutional issues, but I think we should also offer it to small businesses and individuals.”
Mattis, who rarely discusses cyber at length in speeches, did not put a timeline on the plan, only predicting that it would happen “in the long run.”
“I am talking to real smart people about what they do on cyber defense so that we are more resistant and more resilient,” Mattis said.
While the U.S. government currently shares information on cyber threats with businesses that are considered essential for the country to function ― often referred to as critical infrastructure ― the military does not currently offer protection on the scale Mattis suggested.
The plan is “remarkable when you think about it,” David Scott Lewis, the head of Threatcasting.net, a cyber advisory firm, told Fifth Domain. “It is going to be hard to carry this out with the personnel shortages inside the Pentagon. This could be an endeavor far larger than Amazon Web Services or Azure, so it’s likely this is going to have to be implemented by contractors.”
Mattis’ proposal is part of a recent trend of experts and former U.S. officials arguing that the government needs to take a greater role in cyberspace. The most prominent example is the idea that companies should be allowed to hack back.
During the DEF CON and Air Force cyber conferences this summer, Lewis argued that the Pentagon should provide a similar service to Mattis’ proposal, which allows private companies to retaliate from hacks.
“Companies would pay a third party who works in conjunction with the government to hack back as a deterrent. There would be a chain of command and escalatory procedures,” Lewis said.
Former head of the NSA and CIA Michael Hayden told Fifth Domain in August that he is open to greater public and private collaboration. He cited an example of an Australian bank that is involved in over half of the country’s banking transactions.
“Might the Australian government, given how big and important this bank might be, want to give them a little more headroom than you might want to give to Fred and Ethel’s bank out in Alice Springs? And so I am not reflexively dismissive (of hack back), but I am cautious.”