The Defense Department will release a new cyber strategy next week to guide the way ahead for cyber in the foreseeable future, a senior Pentagon official told Congress this week.
Testifying before the Senate Committee on Armed Services’ emerging threats and capabilities subcommittee, Eric Rosenbach, assistant secretary of defense for homeland defense and global security, explained how DoD plans to continue improvement to America’s cybersecurity posture.
“To show that we’re thinking very clearly about this,” Rosenbach said, “next week we’ll release a new strategy for the department that will guide the way forward for the next several years in cyber.”
Defense Secretary Ash Carter has driven this effort, he added.
Rosenbach said defending DoD’s networks is the department’s most important cyber mission.
“I know that may be surprising when you think about the Department of Defense,” Rosenbach said. “We’re very network-reliant and network-centric.”
DoD has the largest enterprise network in the world, he added, and all military operations depend on that network.
Secondly, Rosenbach said, the Defense Department needs to defend the nation against significant cyberattacks.
“This is a small part of all the cyberattacks against the US — not a denial-of-service attack, unless it would cross the threshold of armed attack for most instances,” he said.
“The Department of Defense is not here to defend against all cyberattacks — only that top 2 percent — the most serious,” Rosenbach added.
Finally, he said, the department wants to provide full-spectrum cyber options to the president or the defense secretary in cases that would be advantageous to national interests.
Rosenbach said in light of the evolving nature of the threat, DoD is committed to a comprehensive, whole-of-government cyber strategy to deter attacks.
“This strategy depends on the totality of US actions, to include declaratory policy, overall defensive posture, effective response procedures, indication and warning capabilities, and the resilience of U.S. networks and systems,” Rosenbach said.
Within this, Rosenbach said, the department has three specific roles within the US government from a deterrent perspective.
“First, we need to develop capabilities to deny a potential attack from achieving its desired effect,” he said. “Second, the US must increase the cost of executing a cyberattack. In this regard, DoD must be able to provide the president with options to respond to cyberattacks on the US, if required, through cyber and other means.”
Rosenbach emphasized that potential responses to cyberattacks are considered not only from a purely cyber perspective, but also in a way that encapsulates foreign policy tools and military options.
Finally, he said, it’s important to ensure resilience so the cyber infrastructure can bounce back from an attack.
“This, when it comes down to it, is pure cost benefit-type analysis to make sure the cost is much higher than the benefit to the adversaries who want to attack us,” Rosenbach said.
To bolster its deterrence strategy, Rosenbach said, DoD has made a conscious decision to invest in capabilities and the cyber mission force.
“We have built robust intelligence,” he said. “I do think that it’s an important part of it, although not the core part, and we know that we need to reduce the anonymity of cyberspace so that adversaries who attack us don’t think they can get away with it.
“These attribution capabilities have increased significantly in recent years,” Rosenbach continued, “and we continue to work closely with intelligence and law enforcement to improve this.”
To carry out these missions, the Defense Department is building a cyber mission force composed of 133 teams, Rosenbach explained.
“There’s an important role for the National Guard and the reserve,” Rosenbach said. “We want to capitalize on the expertise that folks who are in the private sector, but still want to serve their country, have.”
Building a cadre of cyber experts is very important to the defense secretary, Rosenbach told lawmakers. Since taking office, he said, one of Carter’s top priorities has been ensuring DoD has new “tunnels” for talent to enter the department’s cyber community.
Building strong partnerships with the private sector — as well as with other government agencies, allies and partners – also is important, Rosenbach said.
“The geography of the Internet itself means we can’t do this alone,” Rosenbach continued, adding, “We’ve invested a lot of time — even recently — in Asia, the [Persian] Gulf and other places in the Middle East, and of course, [with] our traditional allies … and in NATO, in this area.”
Rosenbach also emphasized the important role Congress plays in passing legislation that improves the standard of cybersecurity.