An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

 
Home > CDR Content > Articles > Article View

The New 2015 DoD Cyber Strategy – General Alexander Was Right

By Robert Clark | May 05, 2015

PRINT

The reports on the new Department of Defense (DoD) Cyber Strategy were typical; each highlighted what was put in or left out of the document in accordance to what their authors wanted to report.  On the whole they hit the mark in pointing out that this 2015 cyber strategy was more transparent, emphasized deterrence and innovation, and that DoD would partner for a “whole of government approach.”  Presumably this is what the DoD, and this Administration, wanted.

Some reporters were surprised that offensive cyber operations were mentioned.  Some were disappointed that transparency did not include revealing or confessing past cyberspace operations.  And still others stayed mainstream by focusing on the themes of transparency, deterrence and work force development.  What was really interesting, however, was what was missed: that General Alexander had it right all along. DoD has a larger role defending the homeland and private companies than has previously been officially acknowledged.

In the past, there has been a fierce debate in the Inter-Agency regarding the role of DoD in conducting computer network defense.  Was it better situated to defend not only DoD but the government as a whole and even the private sector against cyber-attacks ?  Adding to the debate was the fact that there are definitions galore.  Definitions not only of what is a cyber-attack, but also what constitutes cybersecurity, defense, exploitation, incident, intrusion, significant incident. The terms went on, as did the arguments over the roles of various government agencies involved in cyberspace operations.

Of all the advocates in this melee, stories and “rumor intelligence” were well reported that General Alexander (then Director of the NSA and Commander of U.S. Cyber Command) had been “taken to the woodshed” by the Administration for his comments regarding the fact that DoD should defend the Country, and more controversially, private sector from cyber-attacks.

Well, General Alexander was correct in what the new 2015 DoD Strategy admits not only in its introduction

In concert with other agencies, the United States’ Department of Defense (DoD) is responsible for defending the U.S. homeland and U.S. interests from attack, including attacks that may occur in cyberspace. In a manner consistent with U.S. and international law, the Department of Defense seeks to deter attacks and defend the United States against any adversary that seeks to harm U.S. national interests during times of peace, crisis, or conflict.

but in Strategic Goal III as well, “[B]e prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.”

When General Alexander spoke about DoD defending the private sector, people heard what the White House admonished him for: ‘you are compromising our privacy and civil liberties,’ ‘companies don’t want the Department of Defense in their networks.’  What General Alexander was advocating though was the government response we saw in Sony.  Moreover, the lessons learned from Sony were captured and well documented in the new DoD Cyber Strategy.  Specifically, if a cyber intrusion causes severe economic significance, from a Nation-State, with terrorist threats, and it qualifies as a cyber-attack, then DoD has a role.

General Alexander wasn’t asking to be “in” or “on” every network. He wasn’t asking to defend everything (a task no one could undertake).  He was asking to allow ALL government entities that comprise computer network defense to work through their progressions and coordinate bringing their inherent authorities to the problem, on a case-by-case basis on problems that rise to a high level of significance.

It is this latter point that both the strategy and Secretary of Defense Carter emphasize. The Strategy clarifies that a significant consequence is – “[W]hile cyberattacks are assessed on a case-by-case and fact-specific basis by the President and the U.S. national security team, significant consequences may include loss of life, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.”  Secretary of Defense Carter, responding to a question during the roll-out at Stanford, similarly stated

[S]omething that threatens significant loss of life, destruction of property, lasting economic damage to people. Those are — is the kind of thing as in any use of — of force against Americans or American interests where the president would determine what the response ought to be on the basis of its proportionality and its effectiveness, and it won’t be any different in cyber than it will in any other domain, and by the way, the response might not occur in cyberspace, but might recur — might occur in a different way.

We don’t need DoD getting involved in every cyber incident or intrusion that occurs.  A point well understood by General Alexander.  Cyber support has many facets from forensics, to problem set analysis, to plain old technical assistance.

With this now bluntly and candidly stated in the new strategy, the tough part now becomes the process to accomplish this goal.  It is this that most concerns private companies: what are the “red-lines” and “triggers” that get different government (DoD) agencies involved in a cyber incident?  And what are the processes for this?  Are the processes only executed or driven by government agencies or will businesses have a seat at the table?

This new strategy is being viewed as quite the improvement over the 2011 strategy that was criticized.  Of course now comes the hard part, implementation, and as mentioned, that is what business and the private sector care about.

 

 

References

Two Observations About The New DOD Cyber Strategy, http://www.lawfareblog.com/2015/04/two-observations-about-the-new-dod-cyber-strategy/

DOD’s New Cyber Strategy Concedes Offensive Ops, http://www.afcea.org/content/?q=Article-dods-new-cyber-strategy-concedes-offensive-ops

DOD’S NEW ‘TRANSPARENT’ POLICY ON CYBERSECURITY IS STILL OPAQUE, http:// www.wired.com/2015/04/dods-new-transparent-policy-cybersecurity-still-opaque/

Rewiring the Pentagon: Carter’s new cyber strategy, http://fcw.com/articles/2015/04/22/rewiring-the-pentagon.aspx?m=2

2015 DOD Cyber Strategy, http://csis.org/publication/2015-dod-cyber-strategy

Defense Secretary Outlines New Cybersecurity Strategy, http://www.darkreading.com/attacks-breaches/defense-secretary-outlines-new-cybersecurity-strategy-/d/d-id/1320147

White House, NSA weigh cybersecurity, personal privacy, found at http://www.washingtonpost.com/world/national-security/white-house-nsa-weigh-cyber-security-personal-privacy/2012/02/07/gIQA8HmKeR_story.html

Homeland Security chief calls Sony hack ‘an attack on our freedom of expression’ http://www.theverge.com/2014/12/19/7422711/homeland-security-chief-calls-sony-hack-an-attack-on-our-freedom-of

DoD Cyber Strategy, http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf

Remarks by Secretary Carter at the Drell Lecture Cemex Auditorium, Stanford Graduate School of Business, Stanford, California, http://www.defense.gov/Transcripts/Transcript.aspx?TranscriptID=5621 Presenter: Defense Secretary Ash Carter April 23, 2015

DOD’s “First” Cyber Strategy is Neither First, Nor a Strategy, http://www.forbes.com/sites/seanlawson/2011/08/01/dods-first-cyber-strategy-is-neither-first-nor-a-strategy/

PRINT


US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.

Help & Support

Resources

Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line