WASHINGTON — The Pentagon's new cyber strategy emphasizes deterrence, a shift that analysts say is a subtle, but important, change for the future of the department.
It also sets up a reliance on the commercial technology sector, which comes with a new push to strengthen ties between Silicon Valley and the Pentagon.
The new strategy, released April 23, represents the first update to the Pentagon's cyber strategy since 2011 — a veritable lifetime given the speed technology has developed.
The overall focus of the strategy falls into three categories: defending Defense Department networks, systems and information; defending against cyber attacks of what the department calls "significant consequence;" and providing integrated cyber capabilities to military operations.
Although the network was unclassified, and the issue was handled within 24 hours, Carter said the incident was "worrisome" and highlights the need of an updated cyber strategy.
Ben FitzGerald, of the Center for a New American Security, said the new strategy tries to encapsulate recent experiences of the Pentagon and the Obama administration.
"I think this strategy is trying to formalize some of the thinking and actions that have been taken over the last year or two," he said.
Jasper Graham, former technical director at the NSA and now a senior vice president with cyber intelligence firm Darktrace, said the updated strategy is "definitely something that was needed."
The latest strategy "assigns role and responsibilities, but also talks about understanding how they have to educate people and integrate across agencies," Graham said.
Both men were struck by the overall attitude of the strategy, one that openly discusses cyber deterrence and potential retaliation for digital attacks against the US.
The Pentagon is "finally being a little more open about the fact it exists and there is a thing called 'offensive cyber' that is out there, and it's not just about playing defense," he said. "Other people are developing offensive cyber strategy, and if you have to protect yourself in the realm, you have to have both a defensive and offensive strategy."
All In On Deterrence
The formal language included in the strategy goes like this: "Deterrence is partially a function of perception. It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, and by decreasing the likelihood that a potential adversary's attack will succeed.
"The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of US systems to withstand a potential attack if it penetrates the United States' defenses."
In his speech, Carter said the goal is to "deter malicious action before it happens," but warned that retaliation is on the table.
"Adversaries should know that our preference for deterrence and our defensive posture don't diminish our willingness to use cyber options if necessary," Carter said. "And when we do take action — defensive or otherwise, conventionally or in cyberspace — we operate under rules of engagement that comply with domestic and international law."
FitzGerald noted that the strategy smartly leaves open multiple options for how the US can respond to a cyber threat.
That language shows an "understanding that cyber is kind of an asymmetrical platform," Graham said.
"We do have the ability within the cyber realm to push if we're pushed back," he added. "And I think that's OK to say that, [so] folks understand that there will be repercussions for their actions."
Given the Pentagon's renewed focus on cyber, FitzGerald argues it should "absolutely elevate" US Cyber Command to a Combatant Command.
"The primary reason for that should be to improve command and control," he said. "Regardless of offense or defense, DoD will need to increase its ability to coordinate cyber actions internally and with its partners, as Carter discussed [in his speech]. Removing the additional layer of C2 that USSTRATCOM brings would help do that."
Help From California
It was no surprise that Carter picked Stanford to make his big announcement. Throughout his time at the Pentagon, Carter has established a reputation as a technocrat, someone who appreciates the rapid growth of technological development that comes out of Silicon Valley.
"One way we're responding is by being more transparent, to raise awareness in both the public and private sector," Carter said. "Indeed, shining a bright light on such intrusions can eventually benefit us all — governments and businesses alike — by spurring us to better work together."
FitzGerald acknowledged that the "jury is absolutely out" on whether this latest attempt to tap the tech industry will work, but held out some optimism, in particular because of Carter's plan to establish the Defense Innovation Unit Experimental, a permanent DoD office housed just minutes from the heart of the valley.
"DoD has been talking up Silicon Valley engagement, but it's usually just shuttle diplomacy," FitzGerald said. "This is a good way to have an ongoing relationship."
Steve Grundman, principal of Grundman Advisory and Lund Fellow at the Atlantic Council, also sees reason for optimism.
"Carter is signaling to the Pentagon itself that 'I, the new secretary of all defense, care about this. I know some things about it, and I know some people out here, and it matters to me,'" Grundman said. "The symbolism has some substance to it."
Graham said the department will probably find more success going for smaller start-ups in need of cash first, rather than targeting the Googles of the world.
"As smaller companies interact with DoD, there will be really good ideas that start to get implemented, some of the bigger players will notice and they'll want to get involved," he said. "I don't think it will be an instantaneous reward."
One positive sign for Carter's hopes? A warm reception from the National Defense Industrial Association (NDIA), which represents the traditional defense players.
In a statement, NDIA Board Chair Arnold Punaro called Carter's speech and cyber strategy release "a game-changer towards harnessing the entrepreneurial genius of American industry and providing a realistic and achievable strategy in the incredibly complex cyber world."
"We welcome Secretary Carter's approach with open arms, but we also recognize that significant institutional and cultural barriers remain — in Congress, in the department, and in industry, both traditional and non-traditional suppliers," the statement reads. "We commit to breaking down our own barriers and look forward to working with Congress and the department to breaking down theirs."
Aaron Mehta was deputy editor and senior Pentagon correspondent for Defense News, covering policy, strategy and acquisition at the highest levels of the Defense Department and its international partners.