New Pentagon cyber strategy to discuss nation's offensive capabilities

Defense Secretary Ashton B. Carter will lay out the military’s new strategy for fighting battles over computer networks Thursday, today, officials said, revealing what analysts say appears be a tougher, more offensive approach to cyber warfare.

It’s the first major update to the Pentagon’s cyber strategy in four years, a period during which American businesses have suffered major attacks, including the assault late last year on Sony Pictures Entertainment.

The document, to be unveiled as Carter delivers a speech at Stanford University, includes descriptions of ways the military can use computers in all stages of a conflict, according to a summary provided by defense officials Wednesday — a sign that the department is opening up about its offensive capabilities.

The Defense Department has been bolstering those capabilities in recent years, establishing a new command at Fort Meade and training thousands of military and civilian personnel in cyber warfare.

Analysts said the new strategy effectively acknowledges what has long been an open secret: The military is not merely interested in defending its own computers, but wants to attack those controlled by its adversaries.

“This is a declaration that we're going to view offensive cyber capabilities as a major tool in our arsenal,” said Richard FornoÖ, the director of the graduate cybersecurity program at the University of Maryland, Baltimore County.

The Pentagon is still feeling its way forward in cyberspace, where it shares responsibilities with the Department of Homeland Security, the FBI and the private sector.

Since Carter became defense secretary in February, he has focused on fleshing out the department’s contributions to cyber defense. For his first domestic visit as secretary, he chose troops stationed at U.S. Cyber Command at Fort Meade

The new strategy reflects the growing number and sophistication of attacks against American computer networks in recent years.

Commanders have been open about their intention to better protect military networks and key infrastructure in the event of a major attack. But they have been cagey about acknowledging the nation’s offensive hacking abilities.

That’s partly because those abilities have been developed with the aid of the highly secretive National Security Agency, and partly because officials are worried about potential damage to American businesses if the Internet comes to be seen as a tool of the military, analysts said.

When the Defense Department was preparing its first cyber strategy in 2011, researcher Ian Wallace said, there was an intense debate about acknowledging the military’s offensive capabilities.

Even the language expected to appear in the new strategy indicates that there is “still a reluctance to be blunt,” said Wallace, with the New America Foundation.

There has been little public information about the military’s powers to launch attacks over computer networks, but some indications of the department’s thinking and abilities have trickled out.

The United States is widely believed to have been behind the 2009 Stuxnet virus attack on Iran’s Natanz nuclear facility, and Defense Department documents describe plans to knock out enemy computer systems — to take air defenses offline, among other purposes, or change data to confuse adversaries.

Eric Rosenbach, a top adviser to Carter on cyber issues, told a Senate panel last week that planners are considering how to attack civilian targets, but said details were classified.

Rosenbach told the Senate Armed Services subcommittee on emerging threats and capabilities that the department’s plans to build a 6,000-member cyber force had fallen behind schedule and training would not likely be complete until 2018.

Facing stiff questioning from Sen. Bill Nelson, a Florida Democrat, Rosenbach said the Cyber Command currently did not yet have “a robust capability” to mount campaigns in cyberspace.

Trey Herr, a researcher at George Washington University's cyber institute, said laying out a new strategy should help the department develop specific plans for training and procurement.

“One of the reasons that [Carter’s office] believes they need a document like this ... is to understand what capabilities they have to acquire,” Herr said.

The government has been treading a fine line in its efforts to help secure the Internet from hackers, while still retaining significant powers to conduct terrorism and computer security investigations.

On Wednesday, the House of Representatives passed a bill that would make it easier for companies to share information on cyber attacks with the government — a measure privacy advocates worry would open a back door for spies.

And Senate Majority Leader Mitch McConnell introduced a bill that would allow a sweeping NSA program that collects data about phone calls to continue, another tool disliked by privacy groups. Without action by Congress the law authorizing that program will expire June 1.

Carter’s visit to Silicon Valley is part of a campaign by top government officials, from President Barack Obama on down, to repair relationships with technologists after former NSA contractor Edward Snowden revealed how spies exploit tech companies to obtain data from online services.

Officials said the Defense Department would make a similar move as early as next month.

Carter is expected to explain how the Defense Department can work more closely with Silicon Valley leaders. His itinerary includes a visit to venture capitalists and veterans working at Facebook.

iduncan@baltsun.com

twitter.com/iduncan