The U.S. Department of Defense (DoD) on Thursday unveiled its latest cyber strategy, described as a way to guide the development of DoD’s cyber forces and strengthen its cyber defense and cyber deterrence posture.
Speaking at Stanford University on Thursday, U.S. Secretary of Defense Ash Carter discussed the new strategy, which focuses on building cyber capabilities and organizations for DoD’s three cyber missions:
• Defend DoD networks, systems, and information
• Defend the United States and its interests against cyberattacks of significant consequence
• Provide integrated cyber capabilities to support military operations and contingency plans.
The strategy set five strategic goals and established specific objectives for the DoD to achieve over the next five years and beyond, the DoD said. The goals set by the Department of Defense for its cyberspace missions include:
1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
“Like everything we do, our cyber strategy starts with our people – its first strategic goal is building and training our Cyber Mission Forces,” Carter said. “These are talented individuals who hunt down intruders, red-team our networks, and perform the forensics that help keep our systems secure. And their skill and knowledge makes them much more valuable than the technology they use. We’re just beginning to build and to imagine this cyber force in DoD.”
An update to the original strategy first released in 2011when the DoD added cyberspace as a new warfare domain, Carter said that in some ways, what the DoD is doing about cyber threats is similar to what the Department does about more conventional threats.
“We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks – as well as pinpoint where an attack came from,” he said. “We’ve gotten better at that because of strong partnerships across the government, and because of private-sector security researchers like FireEye, Crowdstrike, HP – when they out a group of malicious cyber attackers, we take notice and share that information.”
Carter also highlighted the need for the DoD to do its part to shed more light on cyber capabilities that have previously been developed in the shadows.
“Today dozens of militaries are developing cyber forces, and because stability depends on avoiding miscalculation that could lead to escalation, militaries must talk to each other and understand each other’s abilities,” he said.
Naming a specific example of attacks against U.S. Government assets, Carter told the audience at Stanford that Russian hackers were recently able to access an unclassified Pentagon computer network.
“Earlier this year, the sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” Carter said. Fortunately, he said the DoD was able to quickly identify the compromise and had a team of incident responders hunting down the intruders within 24 hours.
The DoD’s cyber strategy also recognizes that it must be able to provide integrated cyber capabilities to support military operations and contingency plans.
“There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations,” the strategy says. “For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.”
“In contrast, the 2011 DOD Strategy for Operating in Cyberspace made little reference to the Pentagon’s operational or offensive cyber capabilities, although U.S. officials have spoken about the issue, and there are leaked classified documents that outlined U.S. policy and planning for offensive cyber operations,” noted Denise E. Zheng, Deputy Director and Senior Fellow at the Center for Strategic and International Studies.
When it comes to defending the nation against attacks, Carter was asked what acts would have an impact that would trigger DoD involvement.
“Something that threatens significant loss of life, destruction of property, lasting economic damage to people,” Carter answered. “Those are — is the kind of thing as in any use of — of force against Americans or American interests where the president would determine what the response ought to be on the basis of its proportionality and its effectiveness, and it won’t be any different in cyber than it will in any other domain, and by the way, the response might not occur in cyberspace, but might recur — might occur in a different way.”
The cyber strategy explained that during a conflict, the Defense Department assumes that a potential adversary will seek to target U.S. or allied critical infrastructure and military networks to gain a strategic advantage.
A disruptive, manipulative, or destructive cyberattack could present a significant risk to U.S. economic and national security, the cyber strategy said.
“To conduct a disruptive or destructive cyber operation against a military system or industrial control system requires expertise, but a potential adversary need not spend billions of dollars to develop an offensive capability,” the DoD explained. “A nation-state, non-state group, or individual actor can purchase destructive malware and other capabilities on the black market. State and non-state actors also pay experts to search for vulnerabilities and develop exploits. This practice has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes. As cyber capabilities become more readily available over time, the Department of Defense assesses that state and non-state actors will continue to seek and develop cyber capabilities to use against U.S. interests.”
The DoD acknowledges that it must be dynamic, flexible, and agile in its work.
“We must anticipate emerging threats, identify new capabilities to build, and determine how to enhance our partnerships and planning,” the strategy concluded. “As always, our women and men – both uniformed and civilian personnel – will be our greatest and most enduring strength and a constant source of inspiration. By working together we will help protect and defend the United States and its interests in the digital age.”
“Recent cyber events worldwide have caused companies and governments to reevaluate their resiliency against a destructive cyber attack,” said Mike Papay, vice president and CISO, Northrop Grumman. “The DoD’s strategic focus on building bridges will help companies enhance their defense against an increasingly sophisticated enemy.”
The full transcript of Carter’s speech is available online.