The latest Cyber Strategy, released this week by the Pentagon, refines the nation’s strategic goals in cyberspace and recognizes for the first time the DOD’s responsibility to protect private sector networks that are not necessarily critical infrastructure.
The Pentagon has released its latest Defense Department Cyber Strategy, updating its original strategy released in 2011 and refining the nation’s strategic goals in cyberspace.
Key strategies in the document have been realigned as a result of four years’ experience in cyber skirmishing, but one of the most interesting changes is that the DOD recognizes for the first time its responsibility to defend private sector networks that are not necessarily critical infrastructure. The Pentagon seems to be acknowledging that because private networks and IT systems have global exposure but companies are limited in how they can defend themselves, it is up to the military to step up to the job.
This does not mean that the DOD is taking over private sector cybersecurity.
“The United States government has a limited and specific role to play in defending the nation against cyberattacks of significant consequence,” the strategy states. Because private sector owns and operates most of infrastructure of cyberspace, the private sector provides the first line of defense.
But the economic importance of private networks is too great for attacks on them to be ignored.
The strategy includes protection of U.S. economic interests among the DOD missions and cites the 2014 North Korean attack against Sony Pictures as “one of the most destructive cyberattacks on a U.S. entity to date.” The administration announced after the Sony attacks that the United States would make an appropriate response, signaling this strategic shift. What that response would be and whether it has been made has not been announced, but the new strategy document seems to confirm the approach.
The idea is not new, says Dr. Mike Lloyd, CTO of the security analytics company RedSeal. It dates back to the Barbary War and the “shores of Tripoli” in the early 19th Century. “Today’s reality has a closer analogy to naval piracy than to World War II,” Lloyd said. “Rather than a great conflict of warring nations, piracy was a scourge based in lawless areas, but one that represented a steady back-pressure on prosperity, security and trade.”
Neither is the idea of working with the private sector new. DOD has always emphasized the need to partner with companies to develop the expertise and technology needed to protect its own networks, and has recognized the private sector as the first line of defense for the nation’s infrastructure. But now DOD seems to be saying, “We will help you to defend your networks,” even if they are not power grids or other critical infrastructure. This defense would most likely take the form of reaching out to touch someone after the fact when an assertive response by a company such as Sony would be illegal.
The 2011 Cyber Strategy was notable for recognizing cyberspace as a new military domain, along with land, water, air and space. Both strategies lay out five strategic goals, although those goals have change somewhat over the years. Here is a side-by-side comparison of the two:
2015 Cyber Strategy
I. Build and maintain ready forces and capabilities to conduct cyberspace operations
II. Defend the DOD information network, secure DOD data, and mitigate risks to DOD missions
III. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.
IV. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages.
V. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
2011 Cyber Strategy
I. Treat Cyberspace as an operational domain to organize, train and equip so that DOD can take full advantage of cyberspace’s potential
II. Employ new defense operating concepts to protect DOD networks and systems
III. Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy
IV. Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity
V. Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation