By Cheryl Pellerin
American Forces Press Service
WASHINGTON – Even as the Defense Department
increases investments in cyber capabilities, officials are working to reduce
vulnerabilities in their own networks and in those of contractors who build
sensitive defense systems, Deputy Defense Secretary Ashton B. Carter said
today.
Speaking at the Air Force Association’s
Annual Air and Space Conference and Technology Exposition in Maryland, Carter
said DOD’s cyber concerns are threefold.
“Two of [these parts] we can get our
hands on, including by managerial moves within the department, and a third … is
harder to get our hands on,” the deputy secretary said.
The first is DOD’s defense of its own
networks, he said, noting that task is “technically very challenging.”
It’s paramount that DOD maintains
security and integrity across its cyber networks, Carter said, because “we
depend on them … today in everything we do.”
The second part involves developing
cyber weapons as weapons of war, he said, “doing the intelligence preparation
of the battlefield for their employment and planning for their employment.
Again, that’s something we can do within our own walls and are doing.”
The third part is protecting the nation
at large from cyberattack, he added, a job that’s harder because DOD plays only
a role in a larger cast.
The scope of DOD’s responsibility for
domestic cyber defense extends to the dependence of DOD installations and bases
on the U.S. cyber infrastructure, and on the use of DOD data and plans by
contractors who build the department’s sensitive systems.
“First of all, other parts of the government
have capabilities and responsibilities and we work with them. But the most
important thing is that most of those networks are … owned and controlled by
private entities who typically fail to invest, or underinvest, in their
security,” the deputy secretary said.
“When we offer to assist them in
protecting [the networks], we run up against barriers that we’re slowly trying
to knock down and reason our way through,” he added.
Such barriers could include antitrust
issues if the department provides information to a particular business, he
said.
“Do we have to provide the same
information to company B? Can company A provide information to company B or
does that violate the antitrust laws?” Carter said. “Can company A provide
information back to the United States or is that providing personal information
to the government that is on their networks?”
He questioned whether DOD should require
private industry to control and strengthen its cyber networks, or whether that
would be considered excessive government regulation.
“These are all tough problems,” he said.
When it comes to dealing with issues of safeguarding
the nation as a whole from cyberattack, “we’re working our way through all
these issues, and my own view is [we’re doing it] way too slowly,” Carter said.
The Cybersecurity Act of 2012, which
called for minimum cyber security performance standards for critical
infrastructure that the U.S. government would help develop with private
industry, fell short of passage during an Aug. 8 Senate vote.
“We were hoping for some legislative
relief this summer that we didn’t get out of the Congress,” Carter said.
Meanwhile, he said, the Defense
Department is considering making U.S. Cyber Command, an armed forces subunified
command subordinate to U.S. Strategic Command and led by Army Gen. Keith B.
Alexander, a separate combatant command.
“We are looking at a separate Cyber
Command … and that may be something to do in the future,” Carter said. “But
that by itself is not by any means the whole of everything that we need to do
in cyber.”