The United States is laying out a new strategy for defending cyberspace, making clear the country will not hesitate to counter attacks online and even with conventional military might, if necessary.
U.S. Defense Secretary Ashton Carter unveiled the new cyber strategy in a speech Thursday at Stanford University, saying it is overdue when the same technologies that U.S. ships use to target cruise missiles are “now available to the highest bidder.”
“Adversaries should know that our preference for deterrence and our defensive posture don’t diminish our willingness to use cyber options if necessary,” Carter said, adding, “The response might not occur in cyberspace but might occur in a different way."
Part of the goal of the new U.S. cyber strategy is to allay concerns that rose following last November’s cyber attack on Sony, which U.S. officials blamed on North Korea, and which had many wondering whether it rose to the level of cyber war.
“Just like Americans expect the Department of Defense to protect the country from a missile attack or other types of attacks, they do so in cyberspace,” a senior Defense Department official said prior to the strategy’s official unveiling.
Defining cyber war
The hope is that under the new guidelines, exactly what constitutes an act of cyber war will be clearer.
“It’s only when those attacks rise to the level of an armed attack, so this is an attack of very significant consequence, not just a denial-of-service attack or a mere hack,” the official said.
But during his talk Thursday at Stanford, the defense secretary said that while the first priority is to defend the Pentagon’s vital networks, “on occasion, we may be called upon to defend other parts of society, and that’s our mission also and we’ll do so."
Carter added, “That’s a determination that’s going to be made case by case, depending upon danger or potential danger to life and property.”
As part of the new U.S. strategy, the Pentagon has begun building a Cyber Mission Force. Defense officials say they are only about halfway to their goal, but that ultimately, it will encompass 133 teams and more than 6,000 troops working to defend the department’s own infrastructure, as well as provide support for combat operations and even defend vital U.S. interests.
Winning over private industry
But the defense secretary warned that because businesses oversee about 90 percent of the nation’s computer networks, defending American cyberspace is not something the government can do alone.
"If companies themselves don’t invest, our country’s collective cyber security posture is weakened," he said.
Carter added that part of the challenge will be to balance that message with the need to partner with firms and startups in technology hubs like Silicon Valley, which are driving much of the innovation.
But the Pentagon faces a significant challenge in trying to gain the trust of some American security firms, which at least publicly remain skeptical of U.S. spying activities following the intelligence leaks by ex-security contractor Edward Snowden.
“Our companies and our people need to be convinced that everything we do in the cyber domain is lawful and appropriate and necessary,” Carter said.
Restoring ties with tech companies will be a "big challenge" for Carter, according to Rob Pritchard, a cyber security specialist at the Royal United Services Institute, who spoke with VOA Thursday.
"He has to find a way to get them to cooperate whilst allowing them to communicate to their customers that their data is still secure and safe. And I think that's going to be quite difficult," said Pritchard.
He said U.S. technology companies will have a particularly hard time reassuring their customers who live overseas, and therefore have less privacy protections than American citizens, under U.S. law.
Tobias Feakin, a cyber security expert at the Australian Strategic Policy Institute, told VOA he also thought "market forces" have helped push companies to publicly side with their customers who are demanding more privacy.
"There's certainly a shift in many U.S. companies trying to distance themselves somewhat from U.S. government security architectures, because they've taken a hit on share price and they're trying to respond to a customer base who are increasingly wary," Feakin said.
The Defense Department hopes to reach distrustful companies through a permanent outreach center aimed at "scouting emerging and breakthrough technologies," according to a defense official.
The experimental Defense Innovation Unit will be staffed by what officials say is an elite group of active-duty and civilian personnel who will try to recruit some of the industry's top technological minds.
VOA’s William Gallo contributed to this story.