Pentagon pushes for offensive cyber ops in new attack strategy
A new document outlining the United States military’s strategy regarding offensive cyber-ops was published by the Pentagon on Thursday this week, and Ashton Carter, the recently confirmed US secretary of defense, spoke of the report during a lecture at Stanford University in California.
Among the strategic goals included in the report is the aim of building and maintain “viable cyber options” to use in the event of heightened tensions or hostilities.
The Pentagon “should be able to use cyber operations to disrupt an adversary’s command and control networks, military-related critical infrastructure and weapons capabilities,” according to the plan of attack published this week.
“The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack,” reads part of the report, “develop effective defensive capabilities to deny a potential attack from succeeding and strengthen the overall resilience of US systems to withstand a potential attack if it penetrates the United States’ defenses.”
Carter told reporters traveling to Stanford with him on Thursday that the new strategy is “more clear and more specific about everything, including offense” that was otherwise included in the DoD’s last edition, the ‘Strategy for Operating in Cyberspace’ published by the Pentagon in 2011, according to the Associated Press.
“It will be useful to us for the world to know that, first of all, we’re going to protect ourselves,” Carter told AP, noting that deterrence efforts now include “a threat to retaliate against those who do us harm.”
In October, Rep. Mike Rogers (R-Michigan), the chair of the House Intelligence Committee, said during a panel discussion in Washington, DC, that the US was not yet prepared to handle a state-sponsored cyber-attack and said that policies must be enacted that give the government guidance to launch online assaults of their own.
“The very fact that a nation state believes that they could do that without any problem or consequence is another very, very serious issue for us,” Rogers said.
On Thursday, Carter confirmed publically for the first time that the Pentagon’s unclassified networks had been penetrated by Russian hackers earlier this year. He said the attack was executed by exploiting a vulnerability that hadn’t been patched, and that the hackers were promptly dealt with.
“But I still worry about what we don’t know,” Carter said, “because this was only one attack that we found.”
Members of the House and Senate have advocated for new cyber laws in the wake of the security breach suffered by the networks of Sony Pictures Entertainment last year. Earlier this month Eric Rosenbach, the assistant secretary of defense for homeland defense and global security, told Congress that the Pentagon wants to provide a full-spectrum of cyber options to the Obama administration in cases that would be advantageous to national interests.
“This strategy depends on the totality of US actions, to include declaratory policy, overall defensive posture, effective response procedures, indication and warning capabilities and the resilience of US networks and systems,” Rosenbach told a Senate subcommittee on emerging threats and capabilities.
Officially, the US government has blamed North Korea for the massive Sony breach that is believed to have cost the Hollywood firm $35 million. North Korea suffered from digital interruptions following the White House’s assessment last year, but US officials have refrained from taking any responsibility with regards to a retaliatory attack.
At Stanford, Sec. Carter called the Sony cyberattack the “most destructive on a US entity so far.” When asked during a question-and-answer session to describe what type of assault would trigger a response from the Pentagon, Carter replied that the military may elect to launch a cyberattack to prevent the possibility of significant loss of life, destruction of property or lasting economic damage.
“The president would determine what the response ought to be on the basis of its proportionality and its effectiveness,” Carter said.
The strategy report says that the US “will continue to respond to cyberattacks against US interests at a time, in a manner and in a place of our choosing, using appropriate instruments of US power and in accordance with applicable law.”
According to the strategy report, the US “will seek to exhaust all network defense and law enforcement options to mitigate any potential cyber risk to the US homeland or US interests before conducting a cyberspace operation” as a matter of principle.
"Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary," Carter said at Stanford.