WASHINGTON, September 29, 2015 — Defense and deterrence are two of the highest priorities for bolstering the nation’s cybersecurity capabilities, top officials from the Defense Department and the intelligence community told a Senate panel here today.
Deputy Defense Secretary Bob Work testified on cybersecurity policy and threats before the Senate Armed Services Committee. Joining him were Director of National Intelligence James R. Clapper and Navy Adm. Michael S. Rogers, commander of U.S. Cyber Command and director of the National Security Agency.
In his remarks to the panel, Clapper said that for the third year in a row, cyber-threats headed the list of threats reported in the annual National Intelligence Worldwide Threat Assessment.
“Although we must be prepared for a large Armageddon-scale strike that would debilitate the entire U.S. infrastructure, that is not … the most likely scenario,” Clapper added.
The primary concern is low- to moderate-level cyberattacks from a growing range of sources that will continue and probably expand, he said, adding that in the future he expects to see more cyber operations that manipulate electronic information to compromise its integrity, as opposed to deleting or disrupting access to it.
Clapper said President Barack Obama has directed him to form a small center that will integrate cyber-threat intelligence from across federal agencies, as do centers established over the years for counterterrorism, counter-proliferation and counterintelligence.
In his remarks to the panel, Work said recent cyber intrusions involving the Office of Personnel Management, the Joint Staff and Sony by three separate state actors are “not just espionage of convenience, but a threat to our national security.”
Earlier this year, the department released a new strategy to guide the development of its cyber forces and strengthen its cybersecurity and cyber deterrence postures. The previous cyber strategy was released in 2011.
DoD Core Missions
As laid out in the new strategy, DoD’s core missions are to defend DoD network systems and information, defend the nation against cyber events of significant consequence, and provide cyber support to operational and contingency plans.
“In this regard, U.S. Cyber Command may be directed to conduct cyber operations in coordination with other government agencies … to deter and defeat strategic threats in other domains,” Work said.
On cyber deterrence, Work acknowledged that he and Defense Secretary Ash Carter “recognize that we are not where we need to be in our deterrent posture,” and the revised strategy is designed to help improve cyber deterrence.
Deterrence works by convincing any potential adversary that the costs of conducting an attack far outweigh potential benefits, Work said, describing the three pillars of the cyber deterrence strategy as denial, resilience and cost imposition.
“Denial means preventing the cyber adversary from achieving his objectives; resilience is ensuring that our systems will perform their essential military tasks even when they are contested in the cyber environment; and cost imposition is our ability to make our adversaries pay a much higher price for malicious activities than they [expected],” the deputy secretary explained.
Work said that because nearly every successful network exploitation involving the Defense Department can be traced to one or more human errors that allowed entry into the network, raising the level of individual cybersecurity awareness and performance is critical.
“As part of this effort, we recently published a cybersecurity discipline implementation plan and a scorecard that is brought before the secretary and me every month,” he said.
The scorecard holds commanders accountable for hardening and protecting their critical systems, and allows them to hold their personnel accountable, Work said, noting that the first scorecard was published in August.
“Denial also means defending the nation against cyberthreats of significant consequence,” Work said, “and the president has directed DoD, working in partnership with other agencies, to be prepared to blunt and stop the most dangerous cyber events.”
Fighting Through Cyberattacks
On resilience, Work explained that adversaries view DoD's cyber dependence as a potential wartime vulnerability, so the department views its ability to fight through cyberattacks as a critical mission function.
“That means normalizing cybersecurity as part of our mission-assurance efforts, building redundancy whenever our systems are vulnerable, and training constantly to operate in a contested environment. Our adversaries have to see that these cyberattacks will not provide them a significant operational advantage,” Work said.
The third aspect of deterrence means demonstrating the ability to respond through cyber and non-cyber means to impose costs on a potential adversary.
“The administration has made clear that we respond to cyberattacks in the time, manner and place of our choosing, and the department has developed cyber options to hold an aggressor at risk in cyberspace if required,” Work said.
During his testimony, Rogers said the military is in constant contact with agile, learning adversaries in cyberspace who have shown the capacity and willingness to take action against soft targets in the United States.
Some countries are integrating cyber operations into a total strategic concept for advancing their regional ambitions, he said, “to use cyber operations to influence the perceptions and actions of states around them and shape what we see as our options for supporting allies and friends in a crisis.”
“We need to deter these activities by showing that they are unacceptable, unprofitable and risky for the instigators,” he added.
U.S. Cyber Command is building capabilities that contribute to deterrence, the admiral told the panel.
“We are hardening our networks and showing an opponent that cyber aggression won't be easy,” Rogers said. “We are creating the mission force — trained and ready like any other maneuver element that is defending DoD networks — supporting joint force commanders and helping defend critical infrastructure within our nation.”
U.S. Cyber Command has made measurable progress, he added. “We are achieving significant operational outcomes and we have a clear path ahead."
Bob Work Robert O. Work was confirmed as the 32nd Deputy Secretary of Defense on April 30, 2014.
Deputy Secretary: Raising Level of Cybersecurity Awareness Paramount
Special Report: DoD Cyber Strategy
James R. Clapper
Navy Adm. Michael S. Rogers