Skip to story Defense Secretary Ash Carter gives a speech to Stanford University students on April 23, 2015, in Stanford, Calif., entitled Rewiring the Pentagon: Charting a New Path on Innovation and Cybersecurity. Ben Margot/AP
When the U.S. Secretary of Defense Ashton Carter laid out the Pentagon’s new cybersecurity strategy this week, few were expecting it to break news. And, indeed, his talk at Stanford’s Hoover Institution on Thursday offered no surprises. But the secretary did set up an expectation during his speech on which he ultimately failed to deliver.
Carter talked about the need for the government to be more transparent about its cyber capabilities, in particular, its shadowy capabilities. “DoD must do its part to shed more light on cyber capabilities that have previously been developed in the shadows,” he said.
This sounded a lot like a prelude to discussing the government’s offensive operations. Was Carter going to finally admit the U.S. role in Stuxnet, the sophisticated digital weapon that the U.S. reportedly developed with Israel to sabotage centrifuges used in Iran’s uranium enrichment program? Was he going to talk about the government’s purchase and use of zero-day exploits to attack adversaries or the fact that it was using zero-days long before it had a policy about how or if they should be used? Or maybe he’d address the controversy over Flame—an espionage tool, reportedly created by the U.S. and Israel, that used a digital certificate from Microsoft to trick targeted computers into thinking it was legitimate software from the software giant, thereby undermining customer trust in Microsoft’s security update system?
The answer, it turns out, was none of the above. Instead of discussing this and other offensive operations, Carter’s reference to shadowy capabilities turned out to refer to the government’s shadowy defensive capabilities. In particular, the tactics a “crack team of incident responders” used to trace the recent breach of a DoD unclassified network to Russia.
“[T]oday,” Carter said right after mentioning the government’s shadowy capabilities, “I want to share an example we just declassified that will help illustrate the cyber threat we face and what we do about it…. Earlier this year, the sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks. They’d discovered an old vulnerability in one of our legacy networks that hadn’t been patched.”
The revelation, about the breach of an old, unpatched system on an unclassified network, was no revelation at all, however. What’s more, Carter’s disclosure of the breach provided no information about “shadowy capabilities” or how the government concluded that Russia was behind the attack, thereby undermining his assertion that the Pentagom aimed to be more transparent.
Carter did mention the government’s cyber offensive operations—though only vaguely. “[O]ur third mission is to provide offensive cyber options that, if directed by the President, can augment our other defense systems,” he said. He also warned that “adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary. And when we do take action—defensive or otherwise, conventionally or in cyberspace—we operate under rules of engagement that comply with domestic and international law.”
Though this at least touches on the topic, it still lacks the details transparency requires. Admittedly, there was a little more detail about the government’s offensive operations in the official cybersecurity strategy the Pentagon released in conjunction with Carter’s speech. This document, which lays out the government’s cyber strategy for the next five years, officially describes the circumstances under which the government might launch an offensive cyber operation.
“There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military-related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations,” the document reads. “For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.”
It also discusses when attacks on U.S. commercial systems might merit a government response. “As a matter of principle, the United States will seek to exhaust all network defense and law enforcement options to mitigate any potential cyberrisk to the U.S. homeland or U.S. interests before conducting a cyberspace operation,” the document asserts.
The new doctrine also touches on—though in broad strokes only—the parameters of such operations.
“To ensure that the Internet remains open, secure, and prosperous, the United States will always conduct cyber operations under a doctrine of restraint, as required to protect human lives and to prevent the destruction of property,” it states. “Any decision to conduct cyber operations outside of DoD networks is made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict. As it makes its investments and builds cyber capabilities to defend U.S. national interests, the Defense Department will always be attentive to the potential impact of defense policies on state and non-state actors’ behavior.”
While these statements represent a rare acknowledgement that the government has and will continue to engage in cyberwarfare and cyber offensive operations, it falls short of being transparent. All of the most controversial aspects of the government’s cyberwarfare activities have been left unaddressed. What’s more, the public learned more about the government’s policy on offensive cyber operations from a presidential directive leaked by Edward Snowden than from this official release. Presidential Directive 20, published by the Guardian in 2013, lays out the government’s policy on what it calls “Offensive Cyber Effects Operations,” and describes scenarios for attack that aren’t necessarily responsive to an imminent threat but are merely done to advance U.S. interests.
According to that document, the government “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”
It further notes that the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power.”
And the Snowden document touches on the possibility of conducting cyber actions inside the US. These would generally occur only with the prior approval of the president, except in cases of emergency.
In short, the government’s new strategy on cybersecurity and its new policy of transparency with regard to its shadowy capabilities is still very opaque.