The U.S. military is changing its approach to cyberspace in ways that could reverberate across the control networks all Americans rely on to deliver water, electricity and other critical services.
Defense Secretary Ash Carter traveled to Silicon Valley on Thursday to unveil the first formal update to the military’s cybersecurity strategy since 2011.
In a speech at Stanford University, Carter said one of the "primary aspects" of the new strategy is to work with domestic companies to lower the risk of a cyberattack endangering national security.
"Because American businesses own, operate and see approximately 90 percent of our national networks, the private sector must be a key partner," he said, adding that "if companies themselves don’t invest, our country’s collective cyber posture is weakened and our ability to augment that protection is limited."
Earlier in the week, Department of Homeland Security Secretary Jeh Johnson paid his own visit to California to tout the agency’s mission and trawl for cyber talent at the RSA security conference in San Francisco. Both DHS and the Department of Defense announced initiatives last week to expand their presence in Silicon Valley.
The two organizations share the goal of protecting the United States from damaging cyberattacks on networks such as those running the electric grid or oil and gas pipelines.
Experts say the military’s focus on mitigating risk, as well as Carter’s emphasis on the private sector’s responsibility, points to maturing government attitudes toward cybersecurity.
"If we look at cyberspace as a hostile environment and there are bad people out there who want to do bad things to us, it may cause a wholesale re-examination of the way we build our systems in the first place," noted Adam Firestone, president of cybersecurity firm Kaspersky Government Security Solutions Inc.
Firestone, whose firm works across many critical infrastructure sectors including energy, welcomed a shift away from the usual focus on responding to cyberattacks after they occur, although he said countering threats is still an important part of both the military’s and DHS’s missions.
"I think that the lines of defense or the lines of responsibility are still being drawn — but in the end, I can’t help but think that it really keeps going back to this concept of resiliency," he said.
"If you have mechanisms built in to make it less likely that a response will be necessary, I think that pays tremendous dividends," he added. "You build in resiliency in the beginning."
Calling out adversaries
DOD’s updated Cyber Strategy arrives in the wake of several damaging cyberattacks on U.S. networks that have captured public attention.
Last year’s hack of Sony Pictures Inc., which leaked thousands of internal emails and erased important company data, caused the government to warn critical infrastructure operators about destructive malware.
The Obama administration attributed the Sony hack to North Korea and later imposed new economic sanctions on individuals there.
The Cyber Strategy released Thursday didn’t shy away from naming U.S. adversaries in cyberspace.
North Korea, Iran, Russia and China were all called out for developing cyber capabilities "to target the U.S. homeland and damage U.S. interests."
In his speech Thursday, Carter disclosed a previously unreported cyberattack against unclassified defense networks that his department traced back to Russia.
"I still worry about what we don’t know, because this was only one attack that we found," he said.
The strategy included some guidance on how the United States will respond to high-profile intrusions, noting that retaliation will be carried out "in accordance with applicable law."
"[The United States is] not going to necessarily hack back in response," said Ben FitzGerald, director of the technology and national security program at the Center for New American Security, suggesting that diplomatic, legal and financial options could be used instead.
President Obama signed an executive order last month giving the government more flexibility to slap economic sanctions on hackers who threaten U.S. interests.
"We just need to have a meaningful response — that’s a more mature way of doing it," FitzGerald said.
"The government has to make good on its commitment," he added, or else companies might consider taking matters into their own hands by striking back against online assailants.
Such private-sector "hack backs" are illegal — not to mention potentially costly if companies challenge hackers who turn out to be backed by nation-states.
But "if we leave people hanging, the potential costs to their businesses are worth it, given the costs being imposed" by intellectual property theft or damaging cyberattacks, FitzGerald said.