Strengthening U.S. cybersecurity capabilities by bolstering cyber defense, deterrence

Deterrence works by convincing any potential adversary that the costs of conducting an attack far outweigh potential benefits, Work said, describing the three pillars of the cyber deterrence strategy as denial, resilience and cost imposition.

Cyber deterrence
“Denial means preventing the cyber adversary from achieving his objectives; resilience is ensuring that our systems will perform their essential military tasks even when they are contested in the cyber environment; and cost imposition is our ability to make our adversaries pay a much higher price for malicious activities than they [expected],” the deputy secretary explained.

Work said that because nearly every successful network exploitation involving the Defense Department can be traced to one or more human errors that allowed entry into the network, raising the level of individual cybersecurity awareness and performance is critical.

“As part of this effort, we recently published a cybersecurity discipline implementation plan and a scorecard that is brought before the secretary and me every month,” he said.

The scorecard holds commanders accountable for hardening and protecting their critical systems, and allows them to hold their personnel accountable, Work said, noting that the first scorecard was published in August.

“Denial also means defending the nation against cyberthreats of significant consequence,” Work said, “and the president has directed DoD, working in partnership with other agencies, to be prepared to blunt and stop the most dangerous cyber events.”

Fighting through cyberattacks
On resilience, Work explained that adversaries view DoD’s cyber dependence as a potential wartime vulnerability, so the department views its ability to fight through cyberattacks as a critical mission function.

“That means normalizing cybersecurity as part of our mission-assurance efforts, building redundancy whenever our systems are vulnerable, and training constantly to operate in a contested environment. Our adversaries have to see that these cyberattacks will not provide them a significant operational advantage,” Work said.

The third aspect of deterrence means demonstrating the ability to respond through cyber and non-cyber means to impose costs on a potential adversary.

“The administration has made clear that we respond to cyberattacks in the time, manner and place of our choosing, and the department has developed cyber options to hold an aggressor at risk in cyberspace if required,” Work said.

Measurable progress
During his testimony, Rogers said the military is in constant contact with agile, learning adversaries in cyberspace who have shown the capacity and willingness to take action against soft targets in the United States.

Some countries are integrating cyber operations into a total strategic concept for advancing their regional ambitions, he said, “to use cyber operations to influence the perceptions and actions of states around them and shape what we see as our options for supporting allies and friends in a crisis.”

“We need to deter these activities by showing that they are unacceptable, unprofitable and risky for the instigators,” he added.

U.S. Cyber Command is building capabilities that contribute to deterrence, the admiral told the panel.

“We are hardening our networks and showing an opponent that cyber aggression won’t be easy,” Rogers said. “We are creating the mission force — trained and ready like any other maneuver element that is defending DoD networks — supporting joint force commanders and helping defend critical infrastructure within our nation.”

U.S. Cyber Command has made measurable progress, he added. “We are achieving significant operational outcomes and we have a clear path ahead.”