April 2015, DOD: The Department of Defense Cyber Strategy (PDF)

For first time, Pentagon strategy addresses use of cyberweapons

By Ellen Nakashima

April 23, 2015

Defense Secretary Ashton B. Carter on Thursday unveiled a new Pentagon strategy that for the first time addresses the use of cyber weapons to deter adversaries from destructive computer attacks.

The cyber strategy, which Carter announced during a speech at Stanford University, is part of a concerted effort by the Obama administration to be more transparent about the United States' use of offensive tools to defend and deter attacks.

The idea is to reduce uncertainty about the Pentagon's actions and role as foreign adversaries rapidly ramp up their cyberwarfare capabilities. The new plan explicitly calls for the Pentagon, if directed by the president, to "be able to use cyber operations to disrupt an adversary's command and control networks, military-related critical infrastructure and weapons capabilities."

The strategy, an unclassified version [1] of which was released Thursday, is a marked departure from the first cyberstrategy released in 2011. That version focused on defense to tamp down concerns that the Pentagon was seeking to militarize cyberspace.

The classified version of new strategy is also said to be much more detailed than its predecessor, laying out an aggressive series of goals over a five-year period. The goals include developing cyber options to control conflict escalation, building and training the cyber force at U.S. Cyber Command, and being prepared to defend the United States from significant destructive cyberattacks.

"Specific targets and the specifics about military operations is something that is classified and so has to remain that way," said a senior defense official, speaking on condition of anonymity to discuss the strategy before it was released. But the options ranged from "Phase 0″ actions, or operations to gather information about adversaries' systems outside of hostilities, "up until the point that there would be real armed conflict," he said. "And what we're hoping is that cyber is something that can prevent wars from occurring." The strategy also calls for minimizing loss of life and destruction of property.

When it comes to defense, "we'll do this in part through deterrence by denial," Carter said, referring to strengthening networks so they can withstand or bounce back quickly from attacks.

Officials sought to allay concerns that the department might use weapons indiscriminately.

The Pentagon will use cyber weapons only when directed by the president and only in response to attacks that rise to the "level of an armed attack" or have "a very significant consequence" such as loss of life and economic collapse, a senior defense official said.

And, he said, in the event of hostilities, they would be used according to the law of armed conflict, which calls for proportional responses and reducing harm to civilians.

Fundamentally, officials said, the strategy is an effort to integrate cyber weapons and capabilities into military contingency plans just as conventional weapons are, and to ensure they are used with precision.

In 2012, President Obama for the first time explicitly directed the Pentagon to be able to defend the nation against major cyberattacks, and the department began to build up its cyber forces.

The strategy also notes that the Pentagon's cyber missions will require close collaboration with foreign allies. It makes clear that the cyber options are among a number of tools that the United States may use to respond to and deter malicious cyber actions. The government may also take law enforcement actions, impose economic sanctions and undertake diplomatic measures.

Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative, applauded the Pentagon's effort at transparency. He said that deterrence of major destructive attacks on the United States "is working pretty well."

While lower-level incidents -- denial-of-service attacks, theft of intellectual property -- are routine, and while there have been at least two attacks on U.S. companies that destroyed data, there has not yet been a significant destructive cyberattack on U.S. soil, Healey noted. "People miss the central fact that a lot of deterrence is working," he said.