WASHINGTON, April 24, 2015 – Defense Secretary Ash Carter today unveiled the Defense Department’s second cyber strategy to guide the development of DoD’s cyber forces and to strengthen its cyber defenses and its posture on cyber deterrence.
Carter discussed the new strategy – an update to the original strategy released in 2011 – before an audience at Stanford University on the first day of a two-day trip to Silicon Valley in California.
At Stanford, he delivered the annual Drell Lecture, and afterward he was scheduled to visit the Facebook campus in Menlo Park. Tomorrow, the secretary will meet with executives at the $4 billion venture-capital firm Andreessen Horowitz.
A Complex Challenge
“While we in DoD are an attractive target, the cyber threat is one we all face as institutions and as individuals,” Carter said at Stanford.
In response to one of the world’s most complex challenges, the Defense Department has three missions in the cyber domain, he added.
The first is to defend DoD networks, systems and information. The second is to defend the U.S. homeland and U.S. national interests against cyber attacks of significant consequence.
The third is to provide integrated cyber capabilities to support military operations and contingency plans.
“In some ways, what we’re doing about this threat is similar to what we do about more conventional threats,” Carter said.
Deterrence is Key
“We like to deter malicious action before it happens and we like to be able to defend against incoming attacks as well as pinpoint where an attack came from,” the secretary said. Stronger partnerships throughout the government and stronger private-sector security researchers such as FireEye, Crowdstrike, HP and others have improved the department’s ability to respond, he added.
Deterrence is a key part of the new cyber strategy, which describes the department’s contributions to a broader national set of capabilities to deter adversaries from conducting cyber attacks, according to a fact sheet about the strategy.
The department assumes that the totality of U.S. actions — including declaratory policy, substantial indications and warning capabilities, defensive posture, response procedures and resilient U.S. networks and systems – will deter cyberattacks on U.S. interests, the fact sheet added.
Action, Defensive or Otherwise
“Still,” Carter said, “adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary.”
When the nation does take action, defensive or otherwise, conventionally or in cyberspace, he added, it operates under rules of engagement that comply with international and domestic law.
The approach reflects two goals, the secretary said: “keeping the Internet open, secure and prosperous, and assuring that the nation continues to respect and protect the freedoms of expression, association and privacy that reflect who we are as a nation.”
Dozens of militaries are developing cyber forces, Carter said, and because stability depends on avoiding miscalculation that could lead to escalation, militaries must talk to each other and understand each other’s abilities.
Shedding Light on Cyber
DoD must do its part, the secretary said, to shed more light on cyber capabilities that historically have been developed in the shadows.
Carter shared with the audience an incident that was recently declassified to help illustrate the cyber threat facing the department and how it responds.
The incident “has never been publicly reported,” he said, “and it shows how rapidly DoD can detect, attribute and expel an intruder” from its military networks.
Earlier this year, he said, the sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of DoD’s networks who had discovered an unpatched vulnerability in a legacy network.
Hunting Down Intruders
“While it’s worrisome they achieved some unauthorized access to our unclassified network, we quickly identified the compromise and had a team of incident responders hunting down the intruders within 24 hours,” Carter explained.
After discerning valuable information about the hackers’ tactics, experts analyzed the network activity, associated it with Russia, then kicked them off the network in a way that minimized their chances of returning, he added.
The episode illustrates a step in the right direction, Carter said, and he told the audience about the department’s new cyber strategy, which he said begins with the department’s people.
The strategy’s first strategic goal is building and training the department’s Cyber Mission Forces, he said.
Keeping Systems Secure
“These are talented individuals who hunt down intruders, red-team our networks and perform the forensics that help keep our systems secure,” Carter added, noting that their skill and knowledge makes them more valuable than the technology they use.
Another goal, the secretary said, is to be better prepared to build and defend DoD information networks, secure data and mitigate risks to military missions.
“We do this in part through deterrence by denial, in line with today’s best-in-class cybersecurity practices, building a single security architecture that’s more easily defendable and able to adapt and evolve to mitigate current and future cyber threats,” Carter said.
Consolidating DoD IT
DoD also will strengthen network defense command and control to synchronize across thousands of DoD networks, and conduct exercises in resilience, he said, so that if a cyberattack degrades capabilities, the department still can mobilize, deploy and operate forces in all other domains.
“Just this week I directed that we consolidate DoD’s IT services in the Pentagon and throughout the capital region,” Carter said, noting that this will help improve cybersecurity and save millions of dollars.
A primary aspect of the strategy is working with partners in the private sector, across the government and around the world, the secretary said. And because U.S. businesses own, operate and see about 90 percent of national networks, the private sector must be a key partner, he added.
“The U.S. government has a unique suite of cyber tools and capabilities, but we need the private sector to take its own steps to protect its data and networks,” Carter said.
Helping When Possible
“We want to help where we can,” the secretary added, “but if companies themselves don’t invest, our country’s collective cybersecurity posture is weakened and our ability to augment that protection is limited.”
To build the cyber force, Carter said, “we’re going to need to use new ways to attract talent through new private-sector exchange programs, … and to ensure that our people have the right tools to execute their missions, we’re going to [increase] our fundamental research and development … with established and emerging private-sector partners in cyber.”
With these partners, he added, cyber capabilities can be created that can both help DoD and then spin off into the wider U.S. marketplace.
To ensure that the department’s cyber operations are appropriate and effective, Carter said, “we’re going to work more closely with our law-enforcement partners at FBI, with Homeland Security, and elsewhere.”
Clear lines of authority dictate who can work where, the secretary said, so as adversaries jump from foreign to U.S. networks, defenders must coordinate with the government to operate seamlessly.
“I’m determined that the Department of Defense be a cooperative partner with law enforcement and with Homeland Security,” Carter said.
The department has already begun practicing with its FBI partners, he added, “and we’re going to be exercising much more going forward. It’s important that we work together and that we all behave in a way that is lawful and appropriate.”
This is serious business, Carter told the audience, and it requires collaboration.
“But in addition to the dangers there are great opportunities to be seized through a new level of partnership between the Pentagon and Silicon Valley,” he added, “opportunities that we can only realize together.”