Defense, Intel Leaders:
Cybersecurity Priorities are Defense, Deterrence
By Cheryl Pellerin, DoD News,
Defense Media Activity.
Washington D.C. — (DoD
News) — September 29, 2015 — Defense and deterrence are two of the highest
priorities for bolstering the nation’s cybersecurity capabilities, top officials
from the Defense Department and the intelligence community told a Senate panel
Deputy Defense Secretary Bob Work testified on cybersecurity policy and
threats before the Senate Armed Services Committee. Joining him were Director of
National Intelligence James R. Clapper and Navy Adm. Michael S. Rogers,
commander of U.S. Cyber Command and director of the National Security Agency.
Defense and deterrence are two of the highest priorities for
bolstering the nation’s cybersecurity capabilities
In his remarks to the panel, Clapper said that for the third
year in a row, cyberthreats headed the list of threats reported in the annual
National Intelligence Worldwide Threat Assessment.
“Although we must be prepared for a large Armageddon-scale
strike that would debilitate the entire U.S. infrastructure, that is not … the
most likely scenario,” Clapper added.
The primary concern is low- to moderate-level cyberattacks
from a growing range of sources that will continue and probably expand, he said,
adding that in the future he expects to see more cyber operations that
manipulate electronic information to compromise its integrity, as opposed to
deleting or disrupting access to it.
Clapper said President Barack Obama has directed him to form
a small center that will integrate cyberthreat intelligence from across federal
agencies, as do centers established over the years for counterterrorism,
counterproliferation and counterintelligence.
In his remarks to the panel, Work said recent cyber
intrusions involving the Office of Personnel Management, the Joint Staff and
Sony by three separate state actors are “not just espionage of convenience, but
a threat to our national security.”
Earlier this year, the department released a new strategy to
guide the development of its cyber forces and strengthen its cybersecurity and
cyber deterrence postures. The previous cyber strategy was released in 2011.
DoD Core Missions
As laid out in the new strategy, DoD’s core missions are to
defend DoD network systems and information, defend the nation against cyber
events of significant consequence, and provide cyber support to operational and
“In this regard, U.S. Cyber Command may be directed to
conduct cyber operations in coordination with other government agencies … to
deter and defeat strategic threats in other domains,” Work said.
On cyber deterrence, Work acknowledged that he and Defense
Secretary Ash Carter “recognize that we are not where we need to be in our
deterrent posture,” and the revised strategy is designed to help improve cyber
deterrence. Deterrence works by convincing any potential adversary that the
costs of conducting an attack far outweigh potential benefits, Work said,
describing the three pillars of the cyber deterrence strategy as denial,
resilience and cost imposition.
“Denial means preventing the cyber adversary from achieving
his objectives; resilience is ensuring that our systems will perform their
essential military tasks even when they are contested in the cyber environment;
and cost imposition is our ability to make our adversaries pay a much higher
price for malicious activities than they [expected],” the deputy secretary
Work said that because nearly every successful network
exploitation involving the Defense Department can be traced to one or more human
errors that allowed entry into the network, raising the level of individual
cybersecurity awareness and performance is critical. “As part of this effort, we
recently published a cybersecurity discipline implementation plan and a
scorecard that is brought before the secretary and me every month,” he said.
The scorecard holds commanders accountable for hardening and
protecting their critical systems, and allows them to hold their personnel
accountable, Work said, noting that the first scorecard was published in August.
“Denial also means defending the nation against cyberthreats
of significant consequence,” Work said, “and the president has directed DoD,
working in partnership with other agencies, to be prepared to blunt and stop the
most dangerous cyber events.”
Fighting Through Cyberattacks
On resilience, Work explained that adversaries view DoD's
cyber dependence as a potential wartime vulnerability, so the department views
its ability to fight through cyberattacks as a critical mission function.
“That means normalizing cybersecurity as part of our
mission-assurance efforts, building redundancy whenever our systems are
vulnerable, and training constantly to operate in a contested environment. Our
adversaries have to see that these cyberattacks will not provide them a
significant operational advantage,” Work said.
The third aspect of deterrence means demonstrating the
ability to respond through cyber and non-cyber means to impose costs on a
“The administration has made clear that we respond to
cyberattacks in the time, manner and place of our choosing, and the department
has developed cyber options to hold an aggressor at risk in cyberspace if
required,” Work said.
During his testimony, Rogers said the military is in constant
contact with agile, learning adversaries in cyberspace who have shown the
capacity and willingness to take action against soft targets in the United
Some countries are integrating cyber operations into a total
strategic concept for advancing their regional ambitions, he said, “to use cyber
operations to influence the perceptions and actions of states around them and
shape what we see as our options for supporting allies and friends in a crisis.”
“We need to deter these activities by showing that they are
unacceptable, unprofitable and risky for the instigators,” he added.
U.S. Cyber Command is building capabilities that contribute
to deterrence, the admiral told the panel. “We are hardening our networks and
showing an opponent that cyber aggression won't be easy,” Rogers said. “We are
creating the mission force -- trained and ready like any other maneuver element
that is defending DoD networks -- supporting joint force commanders and helping
defend critical infrastructure within our nation.” U.S. Cyber Command has made
measurable progress, he added. “We are achieving significant operational
outcomes and we have a clear path ahead."
(Follow Cheryl Pellerin on Twitter: @PellerinDoDNews)
Related Videos :
Secretary: Raising Level of Cybersecurity Awareness Paramount
Related Biographies :
James R. Clapper
Navy Adm. Michael S. Rogers
Related Links :
Special Report: DoD Cyber Strategy