Defense Secretary Ash Carter unveiled a new cybersecurity strategy for the Pentagon last month, the first significant revision of the Defense Department’s cybersecurity strategy since it was issued in 2011.
The new strategy focuses on a number of key areas, including cyber-related research and development, increased collaboration with technology leaders in Silicon Valley and stronger partnerships with the Department of Homeland Security (DHS).
While the policy, which you can read here, touches on several major issues, here are four key takeaways from it and a handful of other announcements Carter made on April 23.
1. Stronger California Connections
Carter’s cybersecurity speech at Stanford University marked the first time in nearly 20 years that a sitting secretary of Defense visited Silicon Valley.
The Pentagon is establishing a full-time outreach office in the nation’s commercial technology epicenter that will be staffed with active-duty and civilian personnel. Its mission will be to find ways to engage the nation’s brightest technology minds in Defense efforts.
The move should come as little surprise: The White House has made significant efforts over the past six months to engage with Silicon Valley leaders, bringing a handful — namely, Megan Smith, U.S. chief technology officer; DJ Patil, deputy chief technology officer for data policy and chief data scientist; and Mikey Dickerson, administrator of the U.S. Digital Service — into the administration. The Pentagon following suit is a logical next step.
2. Deterrence Is the Best Defense
Sometimes the best way to win a fight is never to get into one. The strategy centers on actions to deter enemies from conducting cyberattacks against the government, including “a declaratory policy, substantial indications and warning capabilities, defensive posture, effective response procedures” and a system that is incredibly resilient, according to the policy.
3. Smoother Collaboration Among Government Agencies
One of the biggest problems in government has been cybersecurity governance and jurisdictional clashes with agencies such as DHS.
The issue has centered on who is tasked with protecting federal information; the Defense Department is responsible for protecting the country from attack, but only in a slim range of cases, such as a foreign enemy attacking critical infrastructure, while DHS and the FBI take the lead in other incidents. The new strategy builds on the working relationship among these agencies.
"We now work very closely with DHS and FBI, and we exercise regularly. That's another thing that's changed considerably over the past four years," said a senior Defense official, who spoke to reporters under the condition of anonymity before last month’s announcement, according to Federal News Radio. "There was a lot of interagency tension before, and the lanes in the road are much clearer now."
4. Counterattacks Are a Last Resort
The number of cyberattack cases the Defense Department has authority over is limited because it will tackle ones that are large or “of significant consequence,” as the policy outlines. These include incidents involving “loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.”
If any of those conditions present themselves, the president or secretary of Defense may authorize the use of cyber operations to counter the threat, but that is seen as a last resort.
“As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the U.S. homeland or U.S. interests before conducting a cyberspace operation,” the policy explains.