This story was updated at 3:40 EDT on April 23, 2015.
By unveiling a new Pentagon cyber strategy, Defense Secretary Ashton Carter has revised his department’s approach to cyberspace to account for myriad technological and policy changes over the last several years.
Carter also announced new initiatives to make DoD more capable of adopting cutting-edge commercial technologies for the protection of its networks and build tighter linkages between the department and Silicon Valley, based on the department’s recognition that it is no longer the leading force in information technology innovation.
The cyber policy revisions, which Carter announced during a speech at Stanford University, are the first significant update since 2011, when the department issued its first-ever cyber strategy.
The new strategy reflects technical advances adversaries have made over the past four years and aims to ensure the department has a well-thought-out approach to mitigate those changing threats, including by employing the new Cyber Mission Force the military services have been building over the past two years on behalf of U.S. Cyber Command.
Narrow scope for offensive capabilities
The strategy also accounts for policy clarifications that have happened since 2011. For example, President Barack Obama made explicit in 2012 that DoD has a mission to defend the country from attacks in cyberspace just as it does for a missile attack, but only in a narrow range of cases. Officials estimate that fewer than 2 percent of the cyber attacks the country has endured are severe enough to equate to an “armed attack” that would justify a response by the military’s cyber forces.
For the vast majority of incidents, the Department of Homeland Security and the FBI will remain in the lead. The new strategy reflects improved relations between those three elements of the government.
“We now work very closely with DHS and FBI, and we exercise regularly. That’s another thing that’s changed considerably over the past four years,” said a senior Defense official who spoke to reporters in advance of the announcement under the condition of anonymity. “There was a lot of interagency tension before, and the lanes in the road are much clearer now.”
Although Carter planned to use the address to signal that DoD will only use its offensive cyber capabilities in narrow circumstances, including during active military operations as an alternative or complement to kinetic attacks, he also announced several plans intended to defend the department’s networks and boost its cyber capabilities on an ongoing basis by reaching into the commercial sector for new technologies, with an emphasis on courting firms that are not accustomed to doing business with the U.S. government in general or DoD in particular.
Within the next month, DoD plans to create its own permanent presence in Silicon Valley with a new office called the Defense Innovation Unit-Experimental (DIU- X). Initial plans call for the military to house the unit at Moffett Field, a former naval air station that now houses NASA’s Ames Research Center in Mountain View, California, a few miles from Google’s corporate headquarters.
Officials said DoD will staff DIU-X with an “elite cadre” of DoD civilian and active duty personnel, but will get significant help from an ongoing rotation of select members of the National Guard and reserve forces who work in the technology field. Many of the initial selectees from the reservist population have already started and sold successful tech companies, officials said. The unit’s primary tasks will be to pick out “game changing” technologies with potential military applications and to build closer relationships between the commercial tech sector and DoD.
“We’re especially interested in small businesses, and even though we already have robust and successful programs to reach out to small business, they tend to be in communities that are already familiar with doing business with DoD,” another senior Defense official said. “The thing we’re after here is to try to build contacts and relationships with companies who aren’t thinking about defense as a primary customer, but who have technologies that are very applicable to our needs.”
Digital services team coming
Additionally, the Pentagon will launch a pilot program in which it will begin to make direct financial investments in private-sector endeavors that it hopes will yield cybersecurity benefits in the future. The idea is not unheard of: The intelligence community has a similar endeavor called In-Q-Tel, a nonprofit corporation that funnels federal funding into private ventures that offer promising technologies for the CIA and other IC agencies.
In the initial stages of the pilot, the Pentagon will partner with In-Q-Tel and invest its own funds in that program before deciding whether to move forward with a similar venture of its own.
“We’re going to start small with a team of people that will bring together operator perspectives as well as technology perspectives to help guide the investments we end up making. But if it’s successful, we’re going to expand it after its first year of operations,” the senior official said.
Carter also announced that DoD is launching its own offshoot of the U.S. Digital Service, the strike teams of outside technology experts that first began when the Office of Management and Budget recruited and then employed “special government employees” to rescue HealthCare.gov, the portal for the Affordable Care Act, from imminent disaster.
DoD’s iteration of the service will be made up of a small staff housed within the Pentagon, at least to begin with. Its first assignment will be to apply private- sector expertise to the sharing of health care data between DoD and the Veterans Affairs Department.
“There are a host of business system problems they could address for us, but we’re going to start with this and build the relationship, and I expect that very good things will come from this,” the official said. “It’s an interesting and novel way to get at some of our core problems, using the best people in the country to attack them.”