In unveiling the nation’s new strategy for cybersecurity defense during a trip to Silicon Valley this week, Defense Secretary Ashton Carter has some heavy lifting ahead of him.
High on his to-do list is convincing some skeptical software giants – a group the US military is eagerly courting for its tech expertise – that the Pentagon is not involved in a nefarious plot to insert itself in their businesses or siphon off sensitive data in a quest to militarize cyberspace. After all, the tech industry is still reeling from the Edward Snowden revelations that exposed government surveillance programs to hoover up vast amounts of data from software companies.
Pentagon officials acknowledge that winning over Silicon Valley could be a tough sell, but that Secretary Carter must make the case if he is going to convince the high-tech community to join forces with the Pentagon.
Carter, too, was quick to acknowledge Silicon Valley’s apprehensions Thursday in a speech at Stanford University to chart the Pentagon’s way forward in the digital realm.
“It won’t always be easy. We’ve had tensions before, and likely will again,” Carter said. “We shouldn’t diminish it.”
But behind the scenes, defense officials are quick to point out that Carter is well aware – and supportive – of privacy protections and a firm line between matters that should be handled by the civilian arm of the government, and the Pentagon’s “very small role,” as one senior defense official put it, in responding to cyberattacks in the US.
The US military will step in only when these incursions “rise to the level of an armed attack,” said the defense official, who discussed the cyberstrategy on condition of anonymity.
This means “an attack of very significant consequence, not just a mere denial of service or a mere hack,” he said, adding that this represents “far less than 2 percent” of the overall attacks against the US. “Carter wants to make sure that’s clear.”
Carter endeavored to drive the point home on Thursday. The Pentagon’s new cyberstrategy would reflect two key goals, he said: to keep the Internet “open, secure, and prosperous,” and, second, “assuring that we continue to respect – and protect – the freedoms of expression, association, and privacy that reflect who we are as a nation.”
Even so, as Carter unveiled the strategy at Stanford University, the secretary played up the growing cyberthreat – one he plans to make a top priority of his tenure. Officials point out that Carter’s first domestic trip as Defense secretary was a visit to US Cyber Command.
While technology has enabled “boundless transformation,” prosperity, and generally made things “easier, cheaper, and safer,” these high-tech leaps forward are also dangerous, Carter told the Stanford audience.
“The same Internet that enables Wikipedia also allows terrorists to learn how to build a bomb,” he said. “The same technologies we use to target cruise missiles and jam enemy air defenses can be used against our own forces – and they’re now available to the highest bidder.”
This is hardly news inside the halls of the Pentagon, of course, where officials have realized for some time that they are struggling mightily under the considerable demands that cyberwarfare imposes.
Earlier this month, Assistant Secretary of Defense for Homeland Security and Global Security Eric Rosenbach told lawmakers that US Cyber Command lacks the ability to carry out a “robust” cybercampaign.
It’s a deficit that has long been acknowledged. The question has been how to fix it. “The answer,” Carter said Thursday, “is partnership.”
Why the Pentagon needs Silicon Valley
That Carter rolled out the highly anticipated cybersecurity way forward in Silicon Valley – the first visit by a Defense secretary to the region in nearly 20 years – is a clear acknowledgement that the Pentagon needs the private sector if its cyberresponse is going to achieve the level of “robustness” that the US military is seeking.
It is a humbling process for the Pentagon. For years, it has been the Defense Department that has driven technological innovation – think the Internet and GPS, which were both the result of military research projects.
Lately, however, the technological ecosystem is changing, and that trend has reversed itself. “While DOD labs remain world class, much of the technology for breakthrough innovations now resides in the private sector,” the senior defense official says. In other words, the DOD “has become an ‘importer.’ ”
As a result, the Pentagon is now looking to start-ups that are “lobbing micro-satellites into space, creating autonomous robotics, defining the biotechnology revolution,” he noted, “and exploring frontiers of big data – all technologies with military applications.”
The search for better partnerships with the high-tech sector is rooted in history, Carter noted in his speech. During World War II, Manhattan Project nuclear scientists teamed up with the Massachusetts Institute of Technology Radiation Lab “and the best of industry cranked out the ships, planes, tanks, and bombs that won the war.”
Pentagon's privacy pledge
The trip is an acknowledgement, too, that the Pentagon hopes to court this expertise – and alleviate some serious concerns in Silicon Valley.
These reservations revolve around issues of privacy and Pentagon overreach. They also involve what Pentagon officials are quick to acknowledge is a healthy skepticism of the NSA due to revelations of mass surveillance of the American people. The military commander of US Cyber Command, which is spearheading the Pentagon’s cyberwarfare front, is also the head of the NSA.
“Because of some of the issues associated with the NSA in the past,” the defense official said, “we thought really hard about how we want to communicate openness.”
This involves hammering home the message that the Pentagon is committed to “respecting privacy” and “the things we fight for as a nation,” the official added.
These reassurances are a nod to the lessons that Silicon Valley has to teach the Pentagon. For starters, Carter is stopping by Facebook to meet with Chief Operating Officer Sheryl Sandberg to see what DOD can learn about “managing a lot of smart people at once.”
He is meeting also with veterans now working in the tech world to discuss how the Pentagon can better recruit – and, equally important – retain the “very best people," says the senior defense official.
6,200 strong cyber force
That kind of outreach will be critical to building up its cyber force, a mission that began in 2012. The plan is to have some 6,200 US troops and civilians to protect networks from attacks, as well as allowing the Pentagon to launch some cyber offensives of its own, a skill set defense officials tend to be less eager to discuss.
In an effort to build this cyber force – and encourage cross-pollination with the tech sector – the Pentagon will also be opening its own high-tech satellite office in Silicon Valley, likely at Moffett Field, a joint military-civilian airfield near Mountain View.
This office will be home to the Defense Innovation Unit Experimental. Staffed by “an elite cadre of active duty and civilian personnel,” DIUX will be augmented with reservists tasked with “scouting emerging and breakthrough technologies and building direct relationships with DOD.”
A number of these reservists are also heavy hitters in the tech community, having “funded and sold multiple companies,” a DOD official notes.
At the same time, the Pentagon is launching a branch of the US Digital Service, created by the White House back in August to “rescue,” as one DOD official put it, the healthcare.gov website.
The DOD’s Digital Service branch will “surge on some of the most vexing problems,” the DOD faces, “and give DOD access to some of the best engineers in the world.”
Finally, the Pentagon will reform its Corporate Fellows program, which has been used in the past to send three dozen or so service members to top commercial companies.
In its new form, the fellowship will expand from one to two years, to allow troops to take their second year to return to the military and implement the business practices they learned from industry. “This approach will increase return on this investment substantially,” says a senior defense official.
A quickly evolving threat
The Pentagon last updated its cyberstrategy in 2011. One of the big challenges remains how to deter against the theft of personal data, which defense officials say is "much more difficult to deter than a catastrophic attack.”
These data thefts are also increasing in severity, Carter argued. “The North Korean cyberattack on Sony was the most destructive on a US entity so far,” he said. “This threat affects us all.”
The incursions come from state and nonstate actors alike, he added. “Just as Russia and China have advanced cybercapabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyberoperations.”
In response, “We used a lot of different tools, other than just cybertools,” the senior defense official said.
Ultimately, this will involve “trying to deny the benefits” of the attack to the adversary, and figuring out how to “up the costs,” the official adds. “Making sure your adversary understands that there are consequences.”
The first step in that regard is for the Pentagon to get better at attribution. Carter cited private sector security researchers “like FireEye, Crowdstrike, and HP” as leaders in this realm. “When they ‘out’ a group of malicious cyberattackers, we take notice,” he said.
Carter cited a recently declassified cyberincursion earlier this year, in which “the sensors that guard DOD’s unclassified networks detected Russian hackers accessing one of our networks,” he said. “They’d discovered an old vulnerability in one of our legacy networks that hadn’t been patched.”
While the incursion was “worrisome,” he said, the plus was that the Pentagon’s cyber specialists “quickly identified the compromise, and had a crack team of incident responders hunting the intruders within 24 hours.”
The Pentagon needs to do more of that, and one key goal of the new cyberstrategy is for the DOD to be better prepared to defend its networks.
Barring that, the military is prepared to make intruders pay. “Adversaries should know that our preference for deterrence and our defensive posture,” Carter said, “don’t diminish our willingness to use cyberoptions if necessary.”