Pentagon Unveils New Cyber Strategy


U.S. Defense Secretary Ash Carter yesterday introduced the Defense Department's new Cyber Strategy [PDF], an update to the department's original cyber strategy from 2011.

"While we in DoD are an attractive target, the cyber threat is one we all face as institutions and as individuals," Carter said in a speech at Stanford University.

The new Cyber Strategy lists the following five strategic goals for the DoD's cyber space missions:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyber attacks of significant consequence;
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

A key first step, Carter said, will be the building and training of the department's Cyber Mission Forces. "These are talented individuals who hunt down intruders, red-team our networks and perform the forensics that help keep our systems secure," he said. "And their skill and knowledge makes them much more valuable than the technology they use. We’re just beginning to build and to imagine this cyber force in DoD."

"In some ways, what we're doing about this threat is similar to what we do about more conventional threats," Carter said. "We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks, as well as pinpoint where an attack came from."

As an example, Carter said, the DoD recently detected Russian hackers leveraging an unpatched vulnerability in a legacy network to access one of the DoD's unclassified networks.

"While it's worrisome they achieved some unauthorized access to our unclassified network, we quickly identified the compromise and had a team of incident responders hunting down the intruders within 24 hours," he said. "After learning valuable information about their tactics, we analyzed their network activity, associated it with Russia, and then quickly kicked them off the network, in a way that minimized their chances of returning."

He noted that partnerships with private sector companies like FireEye, Crowdstrike and HP have helped improve the department's ability to respond to attacks.

Similarly, Carter said, "The U.S. government has a unique suite of cyber tools and capabilities, but we need the private sector to take its own steps to protect its data and networks. We want to help where we can, but if companies themselves don’t invest, our country’s collective cyber posture is weakened and our ability to augment that protection is limited."

And while the new strategy is focused on defense, Carter said, "adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary. And when we do take action -- defensive or otherwise, conventionally or in cyberspace -- we operate under rules of engagement that comply with international and domestic law."

Joshua Cannell, malware intelligence analyst at Malwarebytes Labs, told eSecurity Planet by email that it's worth noting the new Cyber Strategy is much lengthier than the previous one, likely due to the department's intended increase in transparency.

"While Carter states the DoD hopes to use transparency in an effort to deter enemies of the United States, it's likely the goal of transparency also exists to help rebuild trust in United States intelligence agencies following NSA document leaks that raised a lot of eyebrows," Cannell said.

"Additionally, it's also true that malware has advanced since 2011, as the DoD has also noted," Cannell added. "Threats like Cryptolocker, malware that could bring an entire network to its knees, didn’t exist at the time, and organizations like the DoD need to revise their strategy to make sure they're prepared for whatever happens over the next five years."

And as HyTrust president and founder Eric Chiu noted by email, the stakes are extremely high. "With the rapidly changing landscape it is great to see the Pentagon release a new cyber security strategy, especially with our nation and economy at risk," he said.

"We are fighting an invisible enemy that is usually already on the inside and is highly motivated to steal our secrets, intellectual property and private data or cause destruction," Chiu added. "Looking at the major breaches over the last 18 months including Anthem, Target, Home Depot, Sony and Snowden, every company and government agency should take notice."