CybersecurityU.S. adopts a more assertive cyber defense posture

Recent cyberattacks and intrusions by hackers, operating alone or backed by nation-states, have prompted the Pentagon and DHS to reaffirm their commitment to upholding the reliability and integrity of America’s cyber network and the systems connected to it. Americans rely on the connected Web to deliver critical services such as water and electricity, and should the Web be breached by bad actors, the consequences could threaten national security.

In a recent speech at Stanford University, Defense Secretary Ashton Carter told a room of Silicon Valley executives and cybersecurity professionals that one of the “primary aspects” of the Pentagon’s new cyber strategy is to work with domestic firms to lower the risk of a cyberattack endangering national security. “Because American businesses own, operate and see approximately 90 percent of our national networks, the private sector must be a key partner,” he said, adding that “if companies themselves don’t invest, our country’s collective cyber posture is weakened and our ability to augment that protection is limited.”

Energy Wirereports that at last week’s RSA security conference in San Francisco, DHS chief Jeh Johnson stopped by to discuss the agency’s mission and search for cyber talent. Both DHS and the Pentagon plan to open offices in Silicon Valley. Experts say the agencies’ focus on cybersecurity and engagement with the private sector will prompt a new level of thinking within the cybersecurity sector. “If we look at cyberspace as a hostile environment and there are bad people out there who want to do bad things to us, it may cause a wholesale re-examination of the way we build our systems in the first place,” noted Adam Firestone, president of cybersecurity firm Kaspersky Government Security Solutions Inc.

Last year’s cyberattack on Sony Pictures, which the government has attributed to North Korea, combined with reports that unclassified Pentagon, State Department, and White House communications systems were breached by hackers believed to be Russian, has led the U.S. government to call out its adversaries in cyberspace: North Korea, Iran, Russia, and China, as they are all developing cyber capabilities “to target the U.S. homeland and damage U.S. interests.”

The Pentagon’s cyber strategy, highlighted by Carter, noted that the United States would respond to confirmed intrusions “in accordance with applicable law.” “(The United States is) not going to necessarily hack back in response,” said Ben FitzGerald, director of the technology and national security program at the Center for New American Security. President Barack Obama signed an executive order in March giving the government more flexibility to issue economic sanction on hackers who threaten U.S. interests. “We just need to have a meaningful response — that’s a more mature way of doing it,” FitzGerald said.

Failure of the U.S. government to respond to foreign cyberattacks against private U.S. firms could lead to those firms retaliating with their own cyberattacks. Such “hack backs” are illegal, and could be costly if companies retaliate against hackers who turn out to be backed by nation-states. But “if we leave people hanging, the potential costs to their businesses are worth it, given the costs being imposed” by intellectual property theft or critical cyberattacks, FitzGerald said.