The Pentagon’s first-ever cybersecurity strategy calls for strengthening defenses and reducing incentives for attacks, outgoing Deputy Defense Secretary William Lynn said yesterday.
The Pentagon released its unclassified Department of Defense Strategy for Operating in Cyberspace (DSOC), a 13-page document that, among other things, explains how the military services train, equip, and command their forces for the so-called cyber mission.
Lynn described the strategy yesterday during a speech at the National Defense University (NDU) in Washington, during which he described its five pillars: treating cyberspace as an operational domain, employing more active defenses, working with the Department of Homeland Security and private sector to protect critical infrastructure networks, building collective cyber defense with allies and international partners, and enhancing network security to reduce advantages attackers have on the Internet.
The more-active defenses the Pentagon is using employ “sensors, software, and signatures to detect and stop malicious code before it affects our operations, thereby denying the benefit of an attack,” Lynn said.
He said more than $500 million in research and development funds have been spent over the last year to “accelerate research on advanced defensive technologies”
“Our research agenda includes novel approaches to improving network security and defense,” he said. “We imagine a time when computers innately and automatically adapt to new threats. We hope for a world when we can not only transmit information in encrypted form, but also keep data encrypted as we perform regular computer operations. Having data encrypted 100 percent of the time would be a revolution in computer security, greatly enhancing our ability to operate in un-trusted environments.”
Lynn responded to concerns about cyberspace “being militarized,” where the domain used by civilians for peaceful purposes would be fundamentally altered by the Pentagon’s efforts to defend it.
He said that just “as our military organizes to defend against hostile acts from land, air, and sea, we must also be prepared to respond to hostile acts in cyberspace.”
“Accordingly, the United States reserves the right, under the laws of armed conflict, to respond to serious cyber attacks with a proportional and justified military response at the time and place of our choosing,” he told the NDU crowd.
Yet he added that the ability to identify and respond to a serious cyber attack is only part of the Pentagon’s strategy.
“Our strategy’s overriding emphasis is on denying the benefit of an attack,” he said. “Rather than rely on the threat of retaliation alone to deter attacks in cyberspace, we aim to change our adversaries’ incentives in a more fundamental way. If an attack will not have its intended effect, those who wish us harm will have less reason to target us through cyberspace in the first place.”
He argued that “establishing robust cyber defenses no more militarizes cyberspace than having a navy militarizes the ocean.”
The Pentagon established U.S. Cyber Command in May 2010. President Barack Obama in May of this year then unveiled the U.S. International Strategy for Cyberspace.
The Pentagon describes the new strategy in a statement as its first “unified strategy for cyberspace,” which “officially encapsulates a new way forward for DoD’s military, intelligence, and business operations.”
“I view (cyber) as an area in which we’re going to confront increasing threats in the future and think we have to be better prepared to deal with the growing cyber challenges that will face the nation,” Defense Secretary Leon Panetta said in a statement.