Carter Urges Stepped-up Progress on Cyber Defense

By Cheryl Pellerin

American Forces Press Service

WASHINGTON – Even as the Defense Department increases investments in cyber capabilities, officials are working to reduce vulnerabilities in their own networks and in those of contractors who build sensitive defense systems, Deputy Defense Secretary Ashton B. Carter said today.

Speaking at the Air Force Association’s Annual Air and Space Conference and Technology Exposition in Maryland, Carter said DOD’s cyber concerns are threefold.

“Two of [these parts] we can get our hands on, including by managerial moves within the department, and a third … is harder to get our hands on,” the deputy secretary said.

The first is DOD’s defense of its own networks, he said, noting that task is “technically very challenging.”

It’s paramount that DOD maintains security and integrity across its cyber networks, Carter said, because “we depend on them … today in everything we do.”

The second part involves developing cyber weapons as weapons of war, he said, “doing the intelligence preparation of the battlefield for their employment and planning for their employment. Again, that’s something we can do within our own walls and are doing.”

The third part is protecting the nation at large from cyberattack, he added, a job that’s harder because DOD plays only a role in a larger cast.

The scope of DOD’s responsibility for domestic cyber defense extends to the dependence of DOD installations and bases on the U.S. cyber infrastructure, and on the use of DOD data and plans by contractors who build the department’s sensitive systems.

“First of all, other parts of the government have capabilities and responsibilities and we work with them. But the most important thing is that most of those networks are … owned and controlled by private entities who typically fail to invest, or underinvest, in their security,” the deputy secretary said.

“When we offer to assist them in protecting [the networks], we run up against barriers that we’re slowly trying to knock down and reason our way through,” he added.

Such barriers could include antitrust issues if the department provides information to a particular business, he said.

“Do we have to provide the same information to company B? Can company A provide information to company B or does that violate the antitrust laws?” Carter said. “Can company A provide information back to the United States or is that providing personal information to the government that is on their networks?”

He questioned whether DOD should require private industry to control and strengthen its cyber networks, or whether that would be considered excessive government regulation.

“These are all tough problems,” he said.

When it comes to dealing with issues of safeguarding the nation as a whole from cyberattack, “we’re working our way through all these issues, and my own view is [we’re doing it] way too slowly,” Carter said.

The Cybersecurity Act of 2012, which called for minimum cyber security performance standards for critical infrastructure that the U.S. government would help develop with private industry, fell short of passage during an Aug. 8 Senate vote.

“We were hoping for some legislative relief this summer that we didn’t get out of the Congress,” Carter said.

Meanwhile, he said, the Defense Department is considering making U.S. Cyber Command, an armed forces subunified command subordinate to U.S. Strategic Command and led by Army Gen. Keith B. Alexander, a separate combatant command.

“We are looking at a separate Cyber Command … and that may be something to do in the future,” Carter said. “But that by itself is not by any means the whole of everything that we need to do in cyber.”