Pentagon cybersecurity strategy comes with olive branch to Silicon Valley
In unveiling the nation鈥檚 new defense听during a trip to Silicon Valley this week, Defense Secretary Ashton Carter has some heavy lifting ahead of him.
High on his to-do list is convincing some skeptical听software听giants 鈥 a group the US military is eagerly courting for its tech expertise听鈥撎齮hat the Pentagon is not involved in a nefarious plot听to insert itself in their businesses or siphon off sensitive data in a quest to听militarize cyberspace.听After all, the tech industry is still reeling from the Edward Snowden revelations that exposed government surveillance programs to hoover up vast amounts of data from software companies.
Pentagon officials acknowledge听that winning over Silicon Valley听could be a tough sell, but that Secretary Carter must make the case if he is going to convince the high-tech community to join forces with the Pentagon.
Carter, too, was quick to acknowledge Silicon Valley鈥檚 apprehensions听Thursday听in a speech at Stanford University to chart the Pentagon鈥檚 way forward in the digital realm.
鈥淚t won鈥檛 always be easy. We鈥檝e had tensions before, and likely will again,鈥 Carter said. 鈥淲e shouldn鈥檛 diminish it.鈥
But behind the scenes, defense officials are quick to point out that Carter is well aware 鈥 and supportive 鈥 of privacy protections and a firm line between matters that should be handled by the civilian arm of the government, and the Pentagon鈥檚 鈥渧ery small role,鈥 as one senior defense official put it, in responding to cyberattacks in the US.
The US military will step in only when these incursions 鈥渞ise to the level of an armed attack,鈥 said the defense official, who discussed the cyberstrategy on condition of anonymity.
This means 鈥渁n attack of very significant consequence, not just a mere denial of service or a mere hack,鈥 he said, adding that this represents 鈥渇ar less than 2 percent鈥 of the overall attacks against the US. 鈥淐arter wants to make sure that鈥檚 clear.鈥
Carter endeavored to drive the point home on Thursday. The Pentagon鈥檚 new cyberstrategy would reflect two key goals, he said: to keep the Internet 鈥渙pen, secure, and prosperous,鈥 and, second, 鈥渁ssuring that we continue to respect 鈥 and protect 鈥 the freedoms of expression, association, and privacy that reflect who we are as a nation.鈥 听
Even so, as Carter unveiled the strategy at Stanford University, the secretary played up the growing cyberthreat 鈥 one he plans to make a top priority of his tenure. Officials point out that Carter鈥檚 first domestic trip as Defense secretary was a visit to US Cyber Command.
听While technology has enabled 鈥渂oundless transformation,鈥 prosperity, and generally made things 鈥渆asier, cheaper, and safer,鈥 these high-tech leaps forward are also dangerous, Carter told the Stanford audience.
鈥淭he same Internet that enables Wikipedia also allows terrorists to learn how to build a bomb,鈥 he said. 鈥淭he same technologies we use to target cruise missiles and jam enemy air defenses can be used against our own forces 鈥 and they鈥檙e now available to the highest bidder.鈥澨
This is hardly news inside the halls of the Pentagon, of course, where officials have realized for some time that they are struggling mightily under the considerable demands that cyberwarfare imposes.听
Earlier this month, Assistant Secretary of Defense for Homeland Security and Global Security听Eric Rosenbach听told lawmakers that US Cyber Command lacks the ability to carry out a 鈥渞obust鈥 cybercampaign.听
It鈥檚 a deficit that has long been acknowledged. The question has been how to fix it. 鈥淭he answer,鈥 Carter said听Thursday, 鈥渋s partnership.鈥
Why the Pentagon needs Silicon Valley
That Carter rolled out the highly anticipated cybersecurity way forward in Silicon Valley 鈥 the first visit by a Defense secretary to the region in nearly 20 years 鈥 is a clear acknowledgement that the Pentagon needs the private sector if its cyberresponse is going to achieve the level of 鈥渞obustness鈥 that the US military is seeking.
It is a humbling process for the Pentagon. For years, it has been the Defense Department that has driven technological innovation 鈥 think the Internet and GPS, which听were both the result of military research projects.
Lately, however, the technological ecosystem is changing, and that trend has reversed itself. 鈥淲hile DOD labs remain world class, much of the technology for breakthrough innovations now resides in the private sector,鈥 the senior defense official says.听In other words, the DOD 鈥渉as become an 鈥榠mporter.鈥 鈥
As a result, the Pentagon is now looking to start-ups that are 鈥渓obbing micro-satellites into space, creating autonomous robotics, defining the biotechnology revolution,鈥 he noted, 鈥渁nd exploring frontiers of big data 鈥 all technologies with military applications.鈥
The search for better partnerships with the high-tech sector is rooted in history, Carter noted听in his speech. During World War II, Manhattan Project nuclear scientists teamed up with the Massachusetts Institute of Technology Radiation Lab 鈥渁nd the best of industry cranked out the ships, planes, tanks, and bombs that won the war.鈥澨
Pentagon's privacy pledge
The trip is an acknowledgement, too, that the Pentagon hopes to court this expertise 鈥 and alleviate some serious concerns in Silicon Valley.
These reservations revolve around issues of privacy and Pentagon overreach. They also involve what Pentagon officials are quick to acknowledge is a healthy skepticism of the NSA due to revelations of mass surveillance of the American people.听The military commander of US Cyber Command, which is spearheading the Pentagon鈥檚 cyberwarfare front, is also the head of the NSA.听
鈥淏ecause of some of the issues associated with the NSA in the past,鈥 the defense official said, 鈥渨e thought really hard about how we want to communicate openness.鈥
This involves hammering home the message that the Pentagon is committed to 鈥渞especting privacy鈥 and 鈥渢he things we fight for as a nation,鈥 the official added.
These reassurances are a nod to the lessons that Silicon Valley has to teach the Pentagon. For starters, Carter is stopping by Facebook to meet with Chief Operating Officer Sheryl Sandberg to see what DOD can learn about 鈥渕anaging a lot of smart people at once.鈥
He is meeting also with veterans now working in the tech world to discuss how the Pentagon can better recruit 鈥 and, equally important 鈥 retain the 鈥渧ery best people," says the senior defense official.听
6,200 strong cyber force听
That kind of outreach will be critical to听building up its cyber force, a mission that began in 2012. The plan is to have some 6,200 US troops and civilians to protect networks from attacks, as well as allowing the Pentagon to launch some cyber offensives of its own, a skill set defense officials tend to be less eager to discuss.
In an effort to build this cyber force 鈥 and encourage cross-pollination with the tech sector 鈥 the Pentagon will also be opening its own high-tech satellite office in Silicon Valley, likely at Moffett Field, a joint military-civilian airfield near Mountain View.
This office will be home to the Defense Innovation Unit Experimental. Staffed by 鈥渁n elite cadre of active duty and civilian personnel,鈥 DIUX will be augmented with reservists tasked with 鈥渟couting emerging and breakthrough technologies and building direct relationships with DOD.鈥澨
A number of these reservists are also heavy hitters in the tech community, having 鈥渇unded and sold multiple companies,鈥 a DOD official notes.听
At the same time, the Pentagon is launching a branch of the US Digital Service, created by the White House back in August to 鈥渞escue,鈥 as one DOD official put it, the听听website.
The DOD鈥檚 Digital Service branch will 鈥渟urge on some of the most vexing problems,鈥 the DOD faces, 鈥渁nd give DOD access to some of the best engineers in the world.鈥澨
Finally, the Pentagon will reform its Corporate Fellows program, which has been used in the past to send three dozen or so service members to top commercial companies.
In its new form, the fellowship will expand from one to two years, to allow troops to take their second year to return to the military and implement the business practices they learned from industry. 鈥淭his approach will increase return on this investment substantially,鈥 says a senior defense official.
A quickly evolving threat
The Pentagon last updated its cyberstrategy in 2011.听One of the big challenges remains how to deter against the theft of personal data, which defense officials say is "much more difficult to deter than a catastrophic attack.鈥
These data thefts are also increasing in severity, Carter argued. 鈥淭he North Korean cyberattack on Sony was the most destructive on a US entity so far,鈥 he said. 鈥淭his threat affects us all.鈥
The incursions come from state and nonstate actors alike, he added. 鈥淛ust as Russia and China have advanced cybercapabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyberoperations.鈥
In response, 鈥淲e used a lot of different tools, other than just cybertools,鈥 the senior defense official said.
Ultimately, this will involve 鈥渢rying to deny the benefits鈥 of the attack to the adversary, and figuring out how to 鈥渦p the costs,鈥 the official adds. 鈥淢aking sure your adversary understands that there are consequences.鈥
The first step in that regard is for the Pentagon to get better at attribution. Carter cited private sector security researchers 鈥渓ike FireEye, Crowdstrike, and HP鈥 as leaders in this realm. 鈥淲hen they 鈥榦ut鈥 a group of malicious cyberattackers, we take notice,鈥 he said.
Carter cited a recently declassified cyberincursion earlier this year, in which 鈥渢he sensors that guard DOD鈥檚 unclassified networks detected Russian hackers accessing one of our networks,鈥 he said. 鈥淭hey鈥檇 discovered an old vulnerability in one of our legacy networks that hadn鈥檛 been patched.鈥
While the incursion was 鈥渨orrisome,鈥 he said, the plus was that the Pentagon鈥檚 cyber specialists 鈥渜uickly identified the compromise, and had a crack team of incident responders hunting the intruders within 24 hours.鈥
The Pentagon needs to do more of that, and one key goal of the new cyberstrategy is for the DOD to be better prepared to defend its networks.听
Barring that, the military is prepared to make intruders pay. 鈥淎dversaries should know that our preference for deterrence and our defensive posture,鈥 Carter said, 鈥渄on鈥檛 diminish our willingness to use cyberoptions if necessary.鈥
听
