Pentagon Updates Cyberdefense StrategyMilitary Willing to Use Cyberwarfare to Protect U.S. Interests
The Department of Defense has unveiled an updated cybersecurity strategy that officially acknowledges for the first time that the U.S. military is willing to use cyberwarfare to defend U.S. interests against cyber-enemies.
The cyberstrategy - an update to a strategy released in 2011 - is laid out in a 42-page document, The Department of Defense Cyber Strategy, which is designed "to guide the development of DoD's cyber forces and to strengthen its cyber defenses and its posture on cyber deterrence," says a DoD statement about the plan.
In defending the country, "if directed by the president or the secretary of defense, the U.S. military may conduct cyber operations to counter an imminent or ongoing attack against the U.S. homeland or U.S. interests in cyberspace," the strategy states. "The purpose of such a defensive measure is to blunt an attack and prevent the destruction of property or the loss of life.
Defense Secretary Ashton Carter said in an April 23 speech at Stanford University: "As tech companies see every day, the cyberthreat against U.S. interests is increasing in severity and sophistication." His two-day California trip was aimed at describing the DoD's updated strategy and fostering cybersecurity collaboration between the Pentagon and the Silicon Valley IT community.
"While the North Korean cyber-attack on Sony was the most destructive on a U.S. entity so far, this threat affects us all. And it comes from state and non-state actors alike. Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations," Carter told the audience. "Low-cost and global proliferation of malware have lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace. We're also seeing blended state-and-non-state threats in cyber ... which complicates potential responses for us and for others."
Kaleidoscope of Threats
As an example of the "kaleidoscope" of cyberthreats the DoD sees, Carter described a recent incident. "Earlier this year, the sensors that guard DoD's unclassified networks detected Russian hackers accessing one of our networks," he said.
"They'd discovered an old vulnerability in one of our legacy networks that hadn't been patched. While it's worrisome they achieved some unauthorized access to our unclassified network, we quickly identified the compromise and had a team of incident responders hunting down the intruders within 24 hours," he said. "After learning valuable information about their tactics, we analyzed their network activity, associated it with Russia, and then quickly kicked them off the network in a way that minimized their chances of returning."
The DoD's cyberstrategy has three missions, Carter said. The first is to defend DoD networks, systems and information. The second is to defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence. The third is to provide integrated cybercapabilities to support military operations and contingency plans.
""In some ways, what we're doing about this threat is similar to what we do about more conventional threats," Carter said.
The plan also sets five strategic goals and establishes specific objectives for DoD to achieve over the next five years and beyond:
- Build and maintain ready forces and capabilities to conduct cyberspace operations;
- Defend the DoD information network, secure DoD data and mitigate risks to DoD missions;
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.
Deterrence is also an important part of the new cyberstrategy, Carter said. "This new strategy ... is also a reflection of DoD being more open than before," he said. "Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary. And when we do take action - defensive or otherwise, conventionally or in cyberspace - we operate under rules of engagement that comply with international and domestic law."
In its statement, the DoD says it "assumes that the totality of U.S. actions - including declaratory policy, substantial indications and warning capabilities, defensive posture, response procedures and resilient U.S. networks and systems - will deter cyber-attacks on U.S. interests."
Carter noted in his speech: "In some ways, what we're doing about this threat is similar to what we do about more conventional threats. We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks - as well as pinpoint where an attack came from. We've gotten better at that because of strong partnerships across the government, and because of private-sector security researchers like FireEye, Crowdstrike, HP - when they 'out' a group of malicious cyber-attackers, we take notice and share that information."
Building Talent Pipeline
An important part of the strategy is the DoD's effort, which was officially launched in 2012, to build a Cyber Mission Force, or CMF, to carry out DoD's cyber missions. "The CMF will include nearly 6,200 military, civilian, and contractor support personnel from across the military departments and defense components. The strategy provides clear guidance for the CMF's development," the DoD says in a fact sheet describing the updated cyberstrategy.
As for the DoD's apparent new openness in laying out its cybersecurity strategy, Carter said, I think that ... our companies and our people need to be convinced that everything we do in the cyber domain is lawful and appropriate and necessary. And I think the [Edward] Snowden revelations indicated that we had a difference of view between what we were doing and what people understood us to be doing. So we've made some adjustments in that, and I think we'll continue to be more open and adjust. ... When we do surveillance, we're doing it to counter terrorism, to counter military action, to counter trafficking and other things that are heinous. We do not do it to collect people's private information for the information's sake."