Since his early 2015 swearing-in, Secretary of Defense Ashton “Ash” Carter made updating the 2011 US Department of Defense Strategy for Operating in Cyberspace a top priority. This update came in April when the Department of Defense released the 2015 Cyber Strategy Report, which was an important step in establishing codes of conduct in cyberspace. The Pentagon developed this new cyber strategy in response to the increasing sophistication of cyber threats to US interests. The 2015 strategy is intended to shed more light on cyber capabilities that have historically been developed in the shadows.
A primary aspect of the Pentagon’s new strategy is working with partners in the private sector. According to Carter, around 90 percent of US national internet networks are owned and operated by businesses. To improve private sector integration, the Obama administration has urged Silicon Valley’s tech firms to join the fight by enhancing threat intelligence sharing with government agencies and adopting security standards outlined by the National Institute of Standards and Technology Cybersecurity Framework. The Pentagon also intends to establish a full-time outreach office, the Defense Innovation Unit Experimental, in Silicon Valley to recruit talented technologists for defense efforts.
Convincing gifted programmers and engineers to forgo their high paying salaries in order to serve their country has been difficult. Over the past decade, attempts to bridge the divide between Silicon Valley and the Pentagon have largely failed due to culture shock on both sides. Adding to this culture shock are tensions between Washington and Silicon Valley over privacy concerns stemming from the government’s bulk data collection programs. Secretary Carter acknowledged that rebuilding trust after the Snowden revelations would be difficult but necessary in order to bolster US cyber capabilities.
The Pentagon’s strategy also lays out the conditions under which the United States might use cyber weapons. The strategy notes that the private sector will be responsible for detecting and deterring cyber espionage and intellectual property theft, but the Department of Homeland Security (DHS) will help defend against complex domestic cases. In scenarios involving the “loss of life, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact,” the Pentagon and DHS will play “limited and specific roles.” According to the Defense Department, it would likely only be involved in less than two percent of overall attacks against the United States.
Questions of how and when the DHS will step in to help companies defend their systems have arisen from the new strategy. With the Federal Bureau of Investigation, DHS, Department of Defense, and the new Cyber Threat Intelligence Center all fighting over cybersecurity turf, industry needs may not be met. DHS and the National Security Agency remain locked in a battle over who will lead the US cybersecurity effort. Many in the cyber industry have complained the new intelligence center is redundant and that the bureaucratic expansion has hampered cybersecurity response efforts. Further complicating the relationship is the lack of liability protection given to companies for sharing information containing sensitive customer data. Given these realities, the government will need to address these ongoing concerns if it seeks to convince the private sector it can be an equitable partner in cybersecurity.