Carter Unveils New Cyber Defense Roadmap
By Sandra I. Erwin
Defense Secretary Ashton Carter is positioning the military to assume a key role in combating potentially devastating cyber attacks against the United States. Cyber threats are "one of the world’s most complex challenges today," Carter said April 23 during a lecture at Stanford University titled "Rewiring the Pentagon: Charting a New Path on Innovation and Cybersecurity."
The cyber threat against U.S. interests is "increasing in severity and sophistication," said Carter. "And it comes from state and non-state actors alike. Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations. Low-cost and global proliferation of malware have lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace."
Carter's plan for combating these threats is articulated in the Pentagon's new cyber strategy, which he chose to release in front of a premier audience of technologists attending Stanford University's prestigious Drell Lecture on public policy.
Of significance in this new roadmap is a clearer definition of the Pentagon’s role in defending the nation.Whereas the Department of Homeland Security and the FBI are the lead agencies that deal with domestic cyber crimes and network intrusions most of the time, the Pentagon would be in charge if there were a catastrophic attack that rose to a level considered a threat to national security.
"We’re also going to work more closely with our law enforcement partners at the FBI, Homeland Security, and elsewhere," Carter said. "There are clear lines of authority about who can work where, so as adversaries jump from foreign to U.S. networks,we need our coordination with law enforcement to work seamlessly." In a simulated war game about two weeks ago, Pentagon cyber experts and their FBI counterparts practiced how exactly this would work.
The 2015 cyber strategy updates the one published in 2011. Four years ago, there was still interagency tension between DoD and DHS on how cyber defense responsibilities would be divvied up. Since then, the Defense Department has gained “more clarity on our missions in cyber space,” a senior defense official said. Per White House guidance, the Pentagon would have the lead role in rare cases — about 2 percent of attacks — that are considered the most serious. With the release of this strategy, the official said, the “lanes in the road are much clearer.”
The new strategy should "help guide development of DoD’s cyber forces, and it is also a reflection of DoD being more open than before," Carter said. "Another goal is to be better prepared to defend DoD information networks, secure data, and mitigate risks to military missions. We’ll do this in part through deterrence by denial, in line with today’s best-in-class cyber security practices, building a single security architecture that’s easier to defend."
The strategy cautions the Pentagon is not seeking to encroach on domestic law enforcement but only intends to intervene under extraordinary circumstances. Americans expect the Defense Department to protect the nation from hostile missile strikes or other acts of war, but in the cyber realm the military role is more difficult to understand. “Only when those attacks rise to the level of an armed attack” would the Pentagon’s Cyber Command take over, the official said. Events like the hacking of corporate networks or denial of service attacks would not meet that standard.
A large portion of the strategy is devoted to the notion of “deterrence” in cyberspace. While the Pentagon over decades of Cold War against the Soviets perfected strategies to deter nuclear strikes, it is finding that dissuading hackers or cyber spies is far more complicated. The strategy calls for a “clear response” to attacks, even if it is just a statement to make the perpetrator aware that there will be consequences to his actions.
"In some ways, what we’re doing about this threat is similar to what we do about more conventional threats," said Carter. "We like to deter malicious action before it happens, and we need to be able to defend against incoming attacks – as well as pinpoint where and whom an attack came from." The Pentagon would be ready to take offensive action if necessary, he said. "And when we do take action, defensive or otherwise, conventionally or in cyberspace, we operate under rules of engagement that comply with domestic and international law."
Another component of the new strategy is a greater effort by the Pentagon to motivate the private sector to step up investments in cyber security and spur technology developers to work with the Defense Department. “The Department of Defense has had a strong partnership with the private sector and research institutions historically, and DoD will strengthen those historic ties to discover and validate new ideas for cyber security,” said the new strategy.
American businesses own and operate nearly 90 percent of U.S networks. "The private sector must be a key partner," said Carter. "The U.S. government has a unique suite of cyber tools and capabilities, but we need the private sector to take its own steps to protect data and networks. We want to help where we can, but if companies themselves don’t invest, our country’s collective cyber security posture is weakened."
Eric Rosenbach, assistant secretary of defense for homeland defense and global security, told the Senate Armed Services Committee’s emerging threats and capabilities subcommittee last week that the Defense Department is building a cyber mission force of 133 teams. Much of that talent will come from the National Guard and Reserve, he said. The cyber mission force will include nearly 6,200 military, civilian, and contractor personnel.