Cyber Defense Review

The New 2015 DoD Cyber Strategy – General Alexander Was Right

By Robert Clark | May 05, 2015

The reports on the new Department of Defense (DoD) Cyber Strategy were typical; each highlighted what was put in or left out of the document in accordance to what their authors wanted to report.  On the whole they hit the mark in pointing out that this 2015 cyber strategy was more transparent, emphasized deterrence and innovation, and that DoD would partner for a “whole of government approach.”  Presumably this is what the DoD, and this Administration, wanted.

Some reporters were surprised that offensive cyber operations were mentioned.  Some were disappointed that transparency did not include revealing or confessing past cyberspace operations.  And still others stayed mainstream by focusing on the themes of transparency, deterrence and work force development.  What was really interesting, however, was what was missed: that General Alexander had it right all along. DoD has a larger role defending the homeland and private companies than has previously been officially acknowledged.

In the past, there has been a fierce debate in the Inter-Agency regarding the role of DoD in conducting computer network defense.  Was it better situated to defend not only DoD but the government as a whole and even the private sector against cyber-attacks ?  Adding to the debate was the fact that there are definitions galore.  Definitions not only of what is a cyber-attack, but also what constitutes cybersecurity, defense, exploitation, incident, intrusion, significant incident. The terms went on, as did the arguments over the roles of various government agencies involved in cyberspace operations.

Of all the advocates in this melee, stories and “rumor intelligence” were well reported that General Alexander (then Director of the NSA and Commander of U.S. Cyber Command) had been “taken to the woodshed” by the Administration for his comments regarding the fact that DoD should defend the Country, and more controversially, private sector from cyber-attacks.

Well, General Alexander was correct in what the new 2015 DoD Strategy admits not only in its introduction

In concert with other agencies, the United States’ Department of Defense (DoD) is responsible for defending the U.S. homeland and U.S. interests from attack, including attacks that may occur in cyberspace. In a manner consistent with U.S. and international law, the Department of Defense seeks to deter attacks and defend the United States against any adversary that seeks to harm U.S. national interests during times of peace, crisis, or conflict.

but in Strategic Goal III as well, “[B]e prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.”

When General Alexander spoke about DoD defending the private sector, people heard what the White House admonished him for: ‘you are compromising our privacy and civil liberties,’ ‘companies don’t want the Department of Defense in their networks.’  What General Alexander was advocating though was the government response we saw in Sony.  Moreover, the lessons learned from Sony were captured and well documented in the new DoD Cyber Strategy.  Specifically, if a cyber intrusion causes severe economic significance, from a Nation-State, with terrorist threats, and it qualifies as a cyber-attack, then DoD has a role.

General Alexander wasn’t asking to be “in” or “on” every network. He wasn’t asking to defend everything (a task no one could undertake).  He was asking to allow ALL government entities that comprise computer network defense to work through their progressions and coordinate bringing their inherent authorities to the problem, on a case-by-case basis on problems that rise to a high level of significance.

It is this latter point that both the strategy and Secretary of Defense Carter emphasize. The Strategy clarifies that a significant consequence is – “[W]hile cyberattacks are assessed on a case-by-case and fact-specific basis by the President and the U.S. national security team, significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.”  Secretary of Defense Carter, responding to a question during the roll-out at Stanford, similarly stated

[S]omething that threatens significant loss of life, destruction of property, lasting economic damage to people. Those are — is the kind of thing as in any use of — of force against Americans or American interests where the president would determine what the response ought to be on the basis of its proportionality and its effectiveness, and it won’t be any different in cyber than it will in any other domain, and by the way, the response might not occur in cyberspace, but might recur — might occur in a different way.

We don’t need DoD getting involved in every cyber incident or intrusion that occurs.  A point well understood by General Alexander.  Cyber support has many facets from forensics, to problem set analysis, to plain old technical assistance.

With this now bluntly and candidly stated in the new strategy, the tough part now becomes the process to accomplish this goal.  It is this that most concerns private companies: what are the “red-lines” and “triggers” that get different government (DoD) agencies involved in a cyber incident?  And what are the processes for this?  Are the processes only executed or driven by government agencies or will businesses have a seat at the table?

This new strategy is being viewed as quite the improvement over the 2011 strategy that was criticized.  Of course now comes the hard part, implementation, and as mentioned, that is what business and the private sector care about.

 

 

References

Two Observations About The New DOD Cyber Strategy, http://www.lawfareblog.com/2015/04/two-observations-about-the-new-dod-cyber-strategy/

DOD’s New Cyber Strategy Concedes Offensive Ops, http://www.afcea.org/content/?q=Article-dods-new-cyber-strategy-concedes-offensive-ops

DOD’S NEW ‘TRANSPARENT’ POLICY ON CYBERSECURITY IS STILL OPAQUE, http:// www.wired.com/2015/04/dods-new-transparent-policy-cybersecurity-still-opaque/

Rewiring the Pentagon: Carter’s new cyber strategy, http://fcw.com/articles/2015/04/22/rewiring-the-pentagon.aspx?m=2

2015 DOD Cyber Strategy, http://csis.org/publication/2015-dod-cyber-strategy

Defense Secretary Outlines New Cybersecurity Strategy, http://www.darkreading.com/attacks-breaches/defense-secretary-outlines-new-cybersecurity-strategy-/d/d-id/1320147

White House, NSA weigh cybersecurity, personal privacy, found at http://www.washingtonpost.com/world/national-security/white-house-nsa-weigh-cyber-security-personal-privacy/2012/02/07/gIQA8HmKeR_story.html

Homeland Security chief calls Sony hack ‘an attack on our freedom of expression’ http://www.theverge.com/2014/12/19/7422711/homeland-security-chief-calls-sony-hack-an-attack-on-our-freedom-of

DoD Cyber Strategy, http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf

Remarks by Secretary Carter at the Drell Lecture Cemex Auditorium, Stanford Graduate School of Business, Stanford, California, http://www.defense.gov/Transcripts/Transcript.aspx?TranscriptID=5621 Presenter: Defense Secretary Ash Carter April 23, 2015

DOD’s “First” Cyber Strategy is Neither First, Nor a Strategy, http://www.forbes.com/sites/seanlawson/2011/08/01/dods-first-cyber-strategy-is-neither-first-nor-a-strategy/