Cheryl Pellerin at the DoD News offers the below report:
WASHINGTON September 29, 2015 — Defense and deterrence are two of the highest priorities for bolstering the nation’s cybersecurity capabilities, top officials from the Defense Department and the intelligence community told a Senate panel here today.
Deputy Defense Secretary Bob Work testified
on cybersecurity policy and threats before the Senate Armed Services Committee.
Joining him were Director of National Intelligence James R. Clapper and Navy
Adm. Michael S. Rogers, commander of U.S. Cyber Command and director of the
National Security Agency.
In his remarks to the panel, Clapper said
that for the third year in a row, cyberthreats headed the list of threats
reported in the annual National Intelligence Worldwide Threat
Assessment.
“Although we must be prepared for a large
Armageddon-scale strike that would debilitate the entire U.S. infrastructure,
that is not … the most likely scenario,” Clapper added.
Integrating
Intelligence
The primary concern is low- to
moderate-level cyberattacks from a growing range of sources that will continue
and probably expand, he said, adding that in the future he expects to see more
cyber operations that manipulate electronic information to compromise its
integrity, as opposed to deleting or disrupting access to it.
Clapper said President Barack Obama has
directed him to form a small center that will integrate cyberthreat intelligence
from across federal agencies, as do centers established over the years for
counterterrorism, counterproliferation and counterintelligence.
In his remarks to the panel, Work said
recent cyber intrusions involving the Office of Personnel Management, the Joint
Staff and Sony by three separate state actors are “not just espionage of
convenience, but a threat to our national security.”
Earlier this year, the department released
a new strategy to guide the development of its cyber forces and strengthen its
cybersecurity and cyber deterrence postures. The previous cyber strategy was
released in 2011.
DoD Core
Missions
As laid out in the new strategy, DoD’s core
missions are to defend DoD network systems and information, defend the nation
against cyber events of significant consequence, and provide cyber support to
operational and contingency plans.
“In this regard, U.S. Cyber Command may be
directed to conduct cyber operations in coordination with other government
agencies … to deter and defeat strategic threats in other domains,” Work
said.
On cyber deterrence, Work acknowledged that
he and Defense Secretary Ash Carter “recognize that we are not where we need to
be in our deterrent posture,” and the revised strategy is designed to help
improve cyber deterrence.
Deterrence works by convincing any
potential adversary that the costs of conducting an attack far outweigh
potential benefits, Work said, describing the three pillars of the cyber
deterrence strategy as denial, resilience and cost imposition.
Cyber
Deterrence
“Denial means preventing the cyber
adversary from achieving his objectives; resilience is ensuring that our systems
will perform their essential military tasks even when they are contested in the
cyber environment; and cost imposition is our ability to make our adversaries
pay a much higher price for malicious activities than they [expected],” the
deputy secretary explained.
Work said that because nearly every
successful network exploitation involving the Defense Department can be traced
to one or more human errors that allowed entry into the network, raising the
level of individual cybersecurity awareness and performance is
critical.
“As part of this effort, we recently
published a cybersecurity discipline implementation plan and a scorecard that is
brought before the secretary and me every month,” he said.
The scorecard holds commanders accountable
for hardening and protecting their critical systems, and allows them to hold
their personnel accountable, Work said, noting that the first scorecard was
published in August.
“Denial also means defending the nation
against cyberthreats of significant consequence,” Work said, “and the president
has directed DoD, working in partnership with other agencies, to be prepared to
blunt and stop the most dangerous cyber events.”
Fighting Through
Cyberattacks
On resilience, Work explained that
adversaries view DoD's cyber dependence as a potential wartime vulnerability, so
the department views its ability to fight through cyberattacks as a critical
mission function.
“That means normalizing cybersecurity as
part of our mission-assurance efforts, building redundancy whenever our systems
are vulnerable, and training constantly to operate in a contested environment.
Our adversaries have to see that these cyberattacks will not provide them a
significant operational advantage,” Work said.
The third aspect of deterrence means
demonstrating the ability to respond through cyber and non-cyber means to impose
costs on a potential adversary.
“The administration has made clear that we
respond to cyberattacks in the time, manner and place of our choosing, and the
department has developed cyber options to hold an aggressor at risk in
cyberspace if required,” Work said.
Measurable
Progress
During his testimony, Rogers said the
military is in constant contact with agile, learning adversaries in cyberspace
who have shown the capacity and willingness to take action against soft targets
in the United States.
Some countries are integrating cyber
operations into a total strategic concept for advancing their regional
ambitions, he said, “to use cyber operations to influence the perceptions and
actions of states around them and shape what we see as our options for
supporting allies and friends in a crisis.”
“We need to deter these activities by
showing that they are unacceptable, unprofitable and risky for the instigators,”
he added.
U.S. Cyber Command is building capabilities
that contribute to deterrence, the admiral told the panel.
“We are hardening our networks and showing
an opponent that cyber aggression won't be easy,” Rogers said. “We are creating
the mission force -- trained and ready like any other maneuver element that is
defending DoD networks -- supporting joint force commanders and helping defend
critical infrastructure within our nation.”
U.S. Cyber Command has made measurable
progress, he added. “We are achieving significant operational outcomes and we
have a clear path ahead."
No comments:
Post a Comment