The Pentagon released a long-promised cybersecurity plan Thursday that declares the Internet a domain of war.
The plan notably does not spell out how the U.S. military would use the Web for offensive strikes.
The Defense Department’s first-ever plan for cyberspace calls on the DoD to expand its ability to thwart attacks from other nations and groups, beef up its cyber workforce and expand collaboration with the private sector.
Like major corporations and the rest of the federal government, the military “depends on cyberspace to function,” the DoD plan says. The U.S. military uses cyberspace for everything from carrying out military operations to sharing intelligence data internally to managing personnel.
“The department and the nation have vulnerabilities in cyberspace,” the document states. “Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity.”
Other nations “are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD’s information infrastructure,” the plan states. “Moreover, non-state actors increasingly threaten to penetrate and disrupt DoD networks and systems.”
Groups are capable of this largely because “small-scale technologies” that have “an impact disproportionate to their size” are relatively inexpensive and readily available.
The Pentagon plans to focus heavily on three areas under the new strategy: the theft or exploitation of data; attempts to deny or disrupt access to U.S. military networks; and any attempts to “destroy or degrade networks or connected systems.”
One problem highlighted in the strategy is a baked-in threat: “The majority of information technology products used in the United States are manufactured and assembled overseas.”
DoD laid out a multi-pronged approach to address those issues.
As foreshadowed by Pentagon officials’ comments in recent years, the plan etches in stone that cyberspace is now an “operational domain” for the military, just as land, air, sea and space have been for decades.
“This allows DOD to organize, train and equip for cyberspace” as in those other areas, the plan states. It also noting the 2010 establishment of U.S. Cyber Command to oversee all DOD work in the cyber realm.
The second leg of the plan is to employ new defensive ways of operating in cyberspace, first by enhancing the DoD’s “cyber hygiene.” That term covers ensuring data on military networks remains secure, using the Internet wisely, and designing systems and networks to guard against cyber strikes.
The military will continue its “active cyber defense” approach of “using sensors, software, and intelligence to detect and stop malicious activity before it can affect DOD networks and systems.” It also will look for new “approaches and paradigms” that will include “development and integration … of mobile media and secure cloud computing.”
The plan underscores efforts long underway at the Pentagon to work with other government agencies and the private sector. It also says the Pentagon will continue strong cyber R&D spending, even in a time of declining national security budgets.
Notably, it calls the Department of Homeland Security the lead for “interagency efforts to identify and mitigate cyber vulnerabilities in the nation’s critical infrastructure.” Some experts have warned against DOD overstepping on domestic cyber matters.
The Pentagon also announced a new pilot program with industry designed to encourage companies to “voluntarily [opt] into increased sharing of information about malicious or unauthorized cyber activity.”
The strategy calls for a larger DoD cyber workforce.
One challenge, Pentagon experts say, will be attracting top IT talent because the private sector can pay much larger salaries — especially in times of shrinking Defense budgets. To that end, “DOD will focus on the establishment of dynamic programs to attract talent early,” the plan states.
On IT acquisition, the plan lays out several changes, including: faster delivery of systems; moving to incremental development and upgrading instead of waiting to buy “large, complex systems”; and improved security measures.
Finally, the strategy states an intention to work more closely with “small- and medium-sized business” and “entrepreneurs in Silicon Valley and other U.S. technology innovation hubs.”